I would still note that this is not some kind of unique problem to Linux. There have been documented instances of malware making it to the Play Store, which is supposed to have a much more rigorous vetting process than AUR and costs actual money to publish on.
Just to expand... When the above user is comparing to Windows, who got most of the US government breached, I do think shade against AUR is uncalled for. Its just a community host for packages, comes with warnings, and isn't enabled by default, etc.
I can still happily upgrade via pacman without fear. Haven't been able to update on Windows without concern for over a decade - the malware comes builtin.
