All 6 of the models on the top row of the free models page are models with malicious code. They were created a few days ago and have been botted to 5 million sales. The require() calls within the scripts are invisible in the roblox script editor. They are only visible after pasting into a text editor. See the images:
The malicious code seems also to come from plugins as well as free models.