If you do any npm install, pip install ..., docker pull ... / docker run ... , etc in linux. It is very easy to get compromise.
I did docker pull a few times base on some webpost (looks reasonable) and detect app/scripts from inside the docker connect to some .ru sites immediately or a few days later....