Attackers (or a coordinated set of compromised accounts) targeted many orphaned AUR packages—those without active maintainers. They pushed commits that added lines like this to the PKGBUILD (or related build files):bash

npm install atomic-lockfile ...

(Exact variations exist, but that's the core pattern.) This affects ~408 packages according to reports.

When users (or AUR helpers) build these packages with makepkg, it executes npm install, which downloads and runs the atomic-lockfile npm package. That package was published very recently and includes a preinstall script (a Rust binary at ./src/hooks/deps) that runs automatically during installation.