In Solidity any address can be casted into specific contract, even if the contract at the address is not the one being casted. This can be exploited to hide malicious code.
- Initialize a new contract inside the constructor
- Make the address of external contract public so that the code of the external contract can be reviewed
https://solidity-by-example.org/hacks/hiding-malicious-code-with-external-contract/