A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
I am not at home (and work is stuck on windows) so I can’t verify with 100% certainty… But I believe what I did was pacman -Qm to list the AUR packages. Then I did pacman -Qi <package_name> to list the details about why it was installed, what dependencies it has, what depends on it, and when it was last updated. Mine showed like 2 years prior (whenever I installed the OS) because there hadn’t been any update to it in years (until the attack). If your date for last updated is recently, you probably have a problem.