People keep saying this, but it's easy to imagine that the malicious code in a maven-included package only works when it detects it's being invoked in a unit test, which puts it in build time easily.

It's true it doesn't immediately build on site, but it sure could run in the developer's machine.