I don't think computer people really realize just how little (relevant) malicious code actually exists on the anyone-can-upload package registries, and folks seem to consistently overestimate the actual threat level here
And no, it's not *just* security folks overestimating the threat level, tons of software developers do it too (and often at the same time overlook the things that are *actually* dangerous)
This also feels like one of those cases of the metaphorical-law-I-forgot-the-name-of, where people perceive an uncommon event as being really common because it's so uncommon that it gets widely reported every time it happens, and therefore skews people's perception of its frequency
As a bit of extra background: I've been professionally auditing (probably thousands of) FOSS dependencies for years now, in a high-risk environment, and *not once* have I run across deliberately malicious code, not even questionably broken code, really.
Every single issue so far has been a security issue, none that were likely to be disguised backdoors. Many of them very common security issues that most developers are likely to create themselves when reinventing wheels (eg. when avoiding dependencies out of a misguided fear of malicious code).
That's where the *real* risk is.
(Corollary: packages that boast "zero dependencies" on average tend to contain far more bugs and even security issues than equivalent packages with transitive dependencies; which is not that surprising, when you consider that this means it'll be reinventing a lot of wheels inline)
@joepie91 "zero dependencies" can mean "we suffer from NIH so we re-invent all the wheels all the time", but it can also mean "there are depdencies but we bundle everything ourselves in some nonstandard way and most of it are outdated versions".
I'm not sure which one is worse, both are not great.