https://arstechnica.com/information-tec ... rd-tokens/People's trust in repositories make them the perfect vectors for malware.
even github, i only download from known popular gits, not just some random person with little background/history dyor, and be careful what you download.