I observed a VS Code plugin compromise itself after running: "npx exec nx@latest --version".

Is it really that easy to get infected, or am I missing a more dangerous step it took? If this behavior is common, doesn’t it mean you could be exposed even without using a vulnerable plugin version, since it auto-runs @latest scripts just to check the version?