Several Many packages have just been added or updated with malicious install files. Watch out for new Maintainers updating old orphaned packages adding npm as a dependency and adding an install file. See the workbench commit below (should be reverted soon, I just reported it).
A few examples from the last 24 hours:
yay4(deleted)minitube(commit reverted)gnome-randr-rust(commit reverted)workbench(commit)
EDIT: More are being reported, see the recent aur-general mailing list posts.
EDIT 2: New Arch forum topic:
The Moderation team is aware and a few of the moderators are already cleaning things up!