npm and all the other public buckets of opensource code... they all have the ability to inject code into an app that could simply ping a remote endpoint and do something dodgy.<
