I am gonna get a lot of hate for this but the AUR flaws are hidden behind a legal warning of “At your own risk”. They just don’t want to take the legal consequences for this. That’s why there are basically 0 preventive measures for detecting bad actors and preventing malicious attacks.

I can think of some solutions:

1. If a package is orphaned then let a potential maintainer just fork it and flag the original for deletion. So the user who has actually installed the old package and want an update will manually go out looking for the updated one instead of just doing a yay -Syu one day and getting malware on the system.
2. If the developer and maintainer are the same for an AUR package, let them maybe add a ArchWiki style captcha, whose output can be added to the upstream repo like in .aurverification file, which can be detected by AUR when putting in the upstream repo URL and the maintainer must verify with that captcha every 6 months or so just to prove active development. If they fail to do so, mark the package as abandoned or unverfied.
3. Newly created accounts will have a cooldown of a week to add a new package to the AUR (I don’t know if this exists already as I haven’t looked into it). And they can only create one repo in a month until a year has passed. They can takeover or fork orphaned packages only after a year and if they are maintaining at-least one repo of their own.