A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
Are you aware how github works, or open source development in general ?
Some users are developers, too.
Some people write code, others may try it out, and a few of the latter might help with developing it. And some of these efforts become popular.
That’s how we have Linux or KDE.
It is all based on open sharing.
And of course you can opt to not run code that you don’t know, or don’t understand , or don’t trust.