https://blog.nietaanraken.nl/posts/aur-packages-github-repo-jacking/
Moral seems to be that as well as checking PKGBUILD's for sanity check the sourced github repo is not redirecting.
If it is it's a security hole.
Be nice if github implemented no reuse of usernames like google with their email addresses.