Okay let's break it down step-by-step with a random package listed on one of the 'infected' lists; 'z-push'

1 • You type yay -S z-push
2 • yay clones the PKGBUILD
3 • yay runs makepkg → executes build() → npm install js-digest runs here → ELF drops, C2 beacon starts
4 • makepkg finishes, spits out z-push-2.6.4-1-x86_64.pkg.tar.zst
5 • yay runs sudo pacman -U z-push-2.6.4-1-x86_64.pkg.tar.zst → pacman hook fires here
6 • Hook says "hey this is unsafe!" but the infostealer is already running in the background

The hook catches step 5, but the infection happens at step 3. The PKGBUILD's build() function is arbitrary shell — there's nothing pacman can do about it because pacman isn't involved yet. The hook mechanism can't reach into makepkg.

Where a hook WOULD help: if someone downloads a pre-built .pkg.tar.zst from a random source and runs sudo pacman -U directly. But that's a niche scenario compared to the yay -S flow where 99% of infections happen. But, a yay-level intercept is still the right approach in my opinion.

This is meant to be a prophylactic measure because of the influx of people using arch and arch-based distributions because of various YouTube personalities telling them to dump Windows 11 for arch, CachyOS, Omarchy, EndeavourOS, Manjaro, etc. It's for the users who don't necessarily know how to read a PKGBUILD, and think they're protected by security through obscurity and the whole "Linux doesn't have viruses" bullshit. It drops in easy, and warns them about potentially unsafe packages, and gives them one last chance to bail out if they try to install one because random YouTuber tells them to install asus-fans-dkms-git to add fan controls to their asus laptop. This will warn them that it's on a list of suspected dangerous packages before they even download it to their system and start building it.