Recently a backdoor was discovered in a core package that pretty much all Linux distributions use. Read more here. Since TROMjaro is a Manjaro fork (thus Arch) is very likely to no be affected by it. However it is better to be safe than sorry.