A couple of months ago I wrote about how I was considering moving from Bazzite to Cachy OS. I had yet to make the move in large part because Bazzite on my decade old Dell XPS 15 was working very well and was doing what I needed it to do. It's great as a companion machine for marking student work and general admin when I'm not on my work provided laptop (unmanaged thankfully). I don't like using my main personal laptop for accessing student work. Partly because of data protection aspects, but mostly for the security of my own machine. I've had one virus scare, I don't want another.
I also have my old Surface Go Laptop which is running Zorin OS (18) which runs very well on it, especially for casual browsing and watching media. The screen is too small to do much else.
So, I'm pretty happy with my Linux usage at the moment. Even if the tinkering side of me does like the idea of Cachy. But, Yesterday I started seeing panicked posts on Reddit about a serious malware breach to the AUR which is the Arch User Repository. Cachy is a version of Arch, but more user friendly, basically better onboarding. This also means it has access to the AUR, which is a repository of software (packages), except the main difference is that - as the name implies - it is maintained by users rather than centrally by Arch or Cachy (although both also have their own more official repository but it is far more limited - understandably - than the user version).
In practice this can be considered next level open source. Because anyone can modify it, and there is a large layer of trust. When Arch (and Cachy) were small, this was fine, but as both grow in users so does it grow as a target. Now, we don't know who is responsible. Some are blaming Microsoft, which seems a stretch, others government actors. The latter also seems a stretch, especially as nation states aren't using Arch, let alone the AUR.
Other means of obtaining software on Arch/Cachy exist, Flatpaks being a big one (even though these are also susceptible to issues), but it does take away one of the elements that many had pointed to as one of its strengths. Ultimately, it's another instance of why we can't have nice things because humans continue to be awful.