There is no point setting up the spectre of a hypothetical nasty, a straw man, and then calling it a bugaboo and blaming it on CPAN. You are rattling a chain that isn’t connected to anyone or anything. You’re arguing for a causal association that simply does not have any meaning at all. Malice can be done in any language. In any library. But a contributed library (Perl or otherwise), which by definition is encountered by and reviewed by a great many people, is far less likely to be a vector for malice than original code which no one other than the disgruntled author may actually see. There are lots of lone wolves out there, and a few of them might be rabid. Their malicious tendencies are much more likely to succeed in a “one off” system that only they may see, than by a system that thousands of individuals worldwide must deal with constantly.