People are way too inclined to believe that just because some program, language, operating system, or whatever is safer than others, it’s Safe with a capital S. No, no, it’s not. https://www.legitsecurity.com/ recently revealed a new class of software supply chain vulnerability in https://github.com/features/actions and Rust. This vulnerability leverages artifact poisoning to attack the underlying software development pipelines.
The attacker doesn’t even need code review approval since the vulnerable build action runs with the malicious code before it’s formally accepted into the project.
That said, this also again underlines that you must know exactly what’s in every component you’re using to build your program.