Mastodon Feed
All commercial package managers seem to have problems with malware.
Both the kind that they allow, which is already a lot, and the kind that they don't allow, which slips through anyway.
They're adding more and more stuff to try to catch the latter kind.
Mandatory developer fees, notarization, lots of hurdles.
I think the worst I ever heard of in a non-commercial package manager, where no kind of malware is allowed, was a program that used Google Analytics and wasn't spotted.