You might think that, but if we’re talking about a frontend service that doesn’t really handle much sensitive info (if any), there’s a lot juicier stuff on my machine than just pushing malware to that codebase (not least other codebases on my machines)