From the Arch mailing list [0]

>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something

They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.

	▲	notabotiswear 5 hours ago \| parent [-]
		Perhaps there were other vectors, but npm was the one used here. And yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.