npm install atomic-lockfile ...

(Exact variations exist, but that's the core pattern.) This affects ~408 packages according to reports.

When users (or AUR helpers) build these packages with makepkg, it executes npm install, which downloads and runs the atomic-lockfile npm package. That package was published very recently and includes a preinstall script (a Rust binary at ./src/hooks/deps) that runs automatically during installation.