anything except that it's malware installed via npm
replyFrom the Arch mailing list [0]
reply>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something
[0] https://lists.archlinux.org/archives/list/aur-general@lists....
They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.
replyPerhaps there were other vectors, but npm was the one used here.
replyAnd yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.