Code examples abound on Stack Overflow, GitHub Gist, blog posts, etc. These may contain direct URL dependencies.
Example guiding users to include a Maven dependency: https://www.baeldung.com/guava-mapmaker#map-maker
There is some degree of assurance that this dependency won't last long in the Maven central repo, or any other user configured repository, if it contained malicious code. Obviously it is not foolproof and incidents happen, but without a centralized authority for package management, there is much less assurance that a package is not malicious
