I know this story is more-so about a trojan in a trusted place, and not general security, but I have an anecdote to share.
So, time to fess up here. I previously complained about Google trapping me in captcha-hell for enabling Ublock Origin.
I was wrong.
Turns out that I had visited a movie streaming site a while before to watch a season of some show, I forget which. Without any downloads or noticeable input on my part. My Linux box apparently got hacked/malware. All I did was click the occasional "I am a human" box on the website, and sit back with popcorn.
I found out when my ISP starting blocking IP addresses some time later. I checked my modem's logs, and they showed some unexplained traffic to impossible "unassigned" IP addresses afterward. I didn't notice for a while.
I was stupid. Even worse, my phone also started behaving badly after that. I think I watched the last few episodes in bed, so must have infected that too.