It's not more vulnerable, it's as-vulnerable as any other package manager where anyone may upload code without sufficient review for people to blindly install and run.
We have already seen this abused in browser extensions being repurposed to inject advertising, in node and ruby modules being converted to malware, cryptocurrency miners being added to games on Steam etc. There was even a Nintendo Switch game that bundled a Ruby IDE, I believe iOS has had apps surreptitiously bundling other software too.
We have already seen this abused in browser extensions being repurposed to inject advertising, in node and ruby modules being converted to malware, cryptocurrency miners being added to games on Steam etc. There was even a Nintendo Switch game that bundled a Ruby IDE, I believe iOS has had apps surreptitiously bundling other software too.