I've never heard of any malware, but I do worry, especially when running cpan as root. The most noticed unfounded worry for me, is seeing in some modules, written on Windows I presume, files that unpack on Linux in mode 777, executable by anyone. Many of these files are just text files, but they could be sprinkled with bash commands. Nothing has ever happened though, so I don't worry much, but I shudder every time I see them in an unpacked module.

Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it.

Of course, I always download and build all modules as an underpriviledged user, then after inspection, install as root, or even better install to the user's home directory with local::lib

If you want my honest opinion, the biggest source of network related insecurity comes from downloading the numerous precompiled binary libraries and executables, which the various distributions provide. I always compile myself. You should also compile your own kernel and possibly use something like SELinux.

I went through alot of worrying about this 10 years ago, but then I realized that it was a waste of time. What is your computer used for? If it's just a personal computer, not involved in any secret activity, the risk of invasion is so small, that the time it takes to run REAL security is too high related to the risk. If some evil agency wants to get access to your computer, they have easier ways than using CPAN or RPM's. 99% percent of all security comprimises come from within your own circle of trust. A co-worker, a girlfriend, etc. who you allow to use the computer are almost always the culprit. You have to watch out for people with USB-Memory-Sticks. :-) They can boot your computer with an on-key OS, and do whatever they want.