A developer wouldn’t have to install malware. A developer could create malware. Even if you have all of your deployments automated, any developer worth anything could sneak malicious code into the process.
A developer doesn't need admin access to the AWS console to install malware, bitcoin miners, etc. He just needs to have his code installed. The person who is deploying the developer's code installed is rarely going to code review the code before its installed. If my code has access to production when you deploy it, I can make it do anything I want and you would never know.
