mazylol [1] filed a deletion request for yy [2]: This is malicious and part of a wider supply chain attack hinging on an npm package called atomic-lockfile. Clearly trying to take advantage of yay users. Install script calls a binary hidden in an npm install script, which when de-compiled, looks like malware with a lot of calls to an SQL database and what looks to be like code meant to read private keys.
[1] https://aur.archlinux.org/account/mazylol/ [2] https://aur.archlinux.org/pkgbase/yy/
