A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
There IS one person that inspect the code for everyone, that’s the package maintainer. But it’s a random voluntary contribution from some random person who you should not blindly trust. That’s the point of the AUR, one person makes it significantly easier to install for everyone. The point is to be better than installing directly from somewhere like GitHub. For actual good moderation there are officials repos