Hello list. I didn't see what happened in this case exactly but in many cases this happened after a maintainer change, not because of compromission of the existing maintainer's account, so 2FA wouldn't solve it.
I think one of the most effective solutions would be requiring invites like e.g. lobste.rs does (https://lobste.rs/about#invitations). Requiring reviews by "high reputation" maintainers after an adoption for highly-used packages could also help. The various UIs (AUR web and helpers) could also surface this to the user (warn when a new version is by a different maintainer for instance. Finally, automated scans can always help I guess, but malicious people will often find ways to work around them. Best. -- Pierre Chapuis
