Malware is absolutely distributed through ads. In the case of more reputable ad platforms that don’t allow arbitrary scripts, it’s by linking to malware, but they’re also used to serve drive-by exploits.
> You have higher chance of getting a malware from `pnpm add` than seeing an ad on the web.
If you’re a normal computer user who browses the web without an ad blocker and never runs `pnpm add`, the relevant chance is a little different. (Fun side fact: current pnpm wisely doesn’t run install scripts by default.)
Ads are basically running a program they wrote on your computer. If there’s any exploitable feature in your browser’s JS sandbox, count on someone sending you an ad that will exploit it.
To add to the other reply, there were even targeted malware campaigns through ad networks. Because nowadays, you can choose who sees your ads so precisely (by IP block or geolocation) that you can target individual organizations.
