> Larger companies do exactly this.

Someone committed malicious code in Amazon Developer Q.

AWS published a malicious version of their own extension.

https://aws.amazon.com/security/security-bulletins/AWS-2025-...