A number of commercial entities and relevant advocates have made the claim for years. It is certainly the case that infected copies of commonly pirated software exist, though they are not as common as some would lead us to believe (at least not of you chose your sources carefully… ahem…).
For a little anecdata: I know at least one person who has encountered this, having his gaming machine encrypted for ransom after installing a copy of a pirated game (luckily for him the machine had nothing on it aside from the games and some media he had copies of elsewhere, and the attack didn't seem to get hold of any credentials (or if it did, no one tried to use them before he got them updated)). There was also apparently a spate of pirated copies installing crypto miners, though I don't know anyone affected by that, and malware disguised as audio/video files was definitely a thing back in the Napster era.
Another place the impression can come from is that some AV tools pick up on parts of the pirated copies as malware even if they aren't. In some cases this will be because they look enough like it (for instance the installer working as usual then patching executables) for heuristics to kick out a false positive), and some claim that commercial products have been paid to include signatures that match common piracy groups' so they get quarantined & warned as malware even though they aren't.
