Anyone can upload stuff to the AUR, so it's only to be expected that there's some malware there. At the very top of the wiki page for the AUR[0], it warns:
> Warning: AUR packages are user produced content. These PKGBUILDs are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.
If you want to stay malware-free and aren't able to vet the packages you're installing, just stick to the official repositories and you'll be fine. This page[1] documents the role of each official repository, and this page[2] is a list of the people who can modify the official community repository.
> Warning: AUR packages are user produced content. These PKGBUILDs are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.
If you want to stay malware-free and aren't able to vet the packages you're installing, just stick to the official repositories and you'll be fine. This page[1] documents the role of each official repository, and this page[2] is a list of the people who can modify the official community repository.
[0]: https://wiki.archlinux.org/index.php/Arch_User_Repository
[1]: https://wiki.archlinux.org/index.php/Official_repositories
[2]: https://archlinux.org/people/trusted-users/