Insider threat, attacker not in the system, you leave your terminal unlocked and are away. Someone walks passed and tries to install something from you terminal?
While it leads to slightly more chance of traceability, I've seen one line "curl | sh" which install a tool which transmit everything you type, or just your password (when you next type it) off to a remote server, so once you've left a terminal unattended you are in trouble anyway.
This is one place when windows can be much better, as users can't catch ctrl+alt+del, so you can always press that before logging in.
This is one place when windows can be much better, as users can't catch ctrl+alt+del, so you can always press that before logging in.