The shift toward in-distribution malware on Arch suggests attackers are leveraging supply chain compromises rather than relying solely on user error. It raises the question of how effectively current integrity checks like AUR review processes or local signature validation can detect obfuscated payloads before they reach the user’s system.