One malicious script that is run right after install vs one per each API entry point that might be called or not (transitive dependency).