This account was created June 11th using a bogus Gmail address, and took ownership of both vbam-git, and mingw-w64-geos. At the time of writing, there do not appear to be any malicious commits (I have a local copy of vbam-git's PKGBUILD, which was not updated yesterday when doing a git pull), but since this attack has been done in waves, it's possible these were being reserved for a third, especially since the account was created after previous waves.