If a build tool has any support for tests, it can execute arbitrary code, since that is what tests are. I am quite sure Maven's pom.xml can install binary jar into local .m2/repository, and later use it as plugin during generate-sources phase - and that is something an IDE will want to do when opening project.
NPM attacks are really product of its popularity (and update churn that community already got used to).
They typically don't execute arbitrary code when setting up the project.
If a build tool has any support for tests, it can execute arbitrary code, since that is what tests are. I am quite sure Maven's pom.xml can install binary jar into local .m2/repository, and later use it as plugin during generate-sources phase - and that is something an IDE will want to do when opening project. NPM attacks are really product of its popularity (and update churn that community already got used to).