Most of the time they will go from drupal.org luckily there's very little else
And once again, what does rogue code has to do with Drupal? Nothing. The same would happen with almost any system. Name any CMS which is actually used in the wild and doesn't get compromised if you install rogue code right into the codebase.
And once again, what does rogue code has to do with Drupal? Nothing. The same would happen with almost any system. Name any CMS which is actually used in the wild and doesn't get compromised if you install rogue code right into the codebase.