Found two great posts on how to take some precautions when using the Arch User Repository. To whom it may concern.
How to review an AUR package - Bert Peters https://bertptrs.nl/2026/01/30/how-to-review-an-aur-package.html
AUR Chaos malware: an analysis What happened, and an investigation of the malware - mh4ckt3mh4ckt1c4s https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-analysis/#conclusion
Pacman hooks install to
/usr/share/libalpm/hooks(and sometimes to/etc/pacman.d/hooksthough that’s incorrect).Incorrect, for the package i guess, because there are the users hooks?
Good question. I haven’t used custom hooks myself, but I believe you are correct. The alpm (Arch Linux Package Management) hooks manual states:
Hooks are read from files located in the system hook directory
/usr/share/libalpm/hooks, and additional custom directories specified in pacman.conf(5) (the default is/etc/pacman.d/hooks).So I guess the blog post means to say, that hooks are not supposed to be added automatically at installation of a package.