Arch Linux’s AUR is experiencing a malware incident involving user-contributed packages with malicious commits that attempt to download npm-based payloads during installation. (…)
Arch users should not update AUR packages without review. Examine PKGBUILD diffs, check any new .install files, and be cautious if updates introduce npm commands or dependencies unrelated to the software.
Users who recently updated affected AUR packages should review package history, examine executed suspicious install scripts, and treat any unexpected npm-based installation behavior as a possible compromise.
same way you get packages anywhere else
Anywhere else, I just need the package from the brave project or their repo. I trust the brave project, I do not trust the AUR for reasons.
There is an install script for linux front and center on the page (classic curl into sh). For other distros, they’re having you add their own repository and install from that. Just as sketchy.
It’s unwise to trust Brave, anyway.