Well, imagine that you are trying to install an npm package and misspell the name, but the misspelled package already exists and you acidently install it, there you go, they will welcome you as their new guinea pig.
Statistics say that we use 90% of open source software, and that's why a lot of companies don't trust open source software and don't use it to develop their own products, even if it costs them more money, they will take the risk and try to build their own solution.
Nope, I want to kindly remember you, that the tools and compilers are also software, that can be hacked. And remember that these people use their skills and influence to get good jobs, so they can work at the software company that developed the IDE you are using, and hack your compiler, so when you download it from a safe source, nothing guarantees you that it is 100% safe.
If you want to think a little deeper, imagine that you buy a brand new CPU, guess what? It might not be clean, software is hackable, everywhere.