Hundreds of orphaned packages hosted by the Arch User Repository (AUR) have been compromised by an attacker who has added a malicious npm package (atomic-lockfile) that can exfiltrate sensitive data. The project is currently working on cleaning up the mess. There is a list of affected packages and post by "sodiboo" with additional information. Arch Linux users (or users of Arch-based distributions) that use AUR packages may wish to see if they have installed any of the compromised updates.