It's happened already
There where a few truckloads of perfectly resealed WindowsXP disks a few years back. Every one was pre-infected with malware and on it's way to being injected back into the legitimate supply chain for retail shelf sales. If that's what was caught, how much wasn't?
Years ago, network hardware was also discovered. I believe it was Cisco boxes that where leaving out a factory side door; nothing stopping the criminals from adding "value" into the hardware in that case either.
By definition, the crapware including with pre-built machine purchases easily falls into the malware category. Installed without the previous permission of the owner and doing things the owner may not agree with. There was a time when dial-home code was blatantly considered malware; the code is still here and "dial-home by default" makes it worse with always on network connections.
Microsoft Windows98 harvested user data and delivered it directly back to there databases until the behavior was discovered by a researcher. Microsoft got a lot of heat over that and had to change Windows Update's methods as a result.
A requirement of Lenovo's Thinkvantage "value add" software is Message Center which is now been made a required dependency for Thinkvantage System Update. Message Center's purpose is to spam users with popups. You may not be able to imagine the confusion when my users start getting popups asking them to buy new batteries or larger hard drives.
Lest we leave out DRM and similar badly implemented things that lock the owner out of there own property and treat them like a criminal by default (guilty until proven less guilty).
I think it was barely two years ago that batches of flashdrives where discovered to have had malware injected at the production factory. Criminals actually got a modified firmware onto the production line so every unit that came out of there was pre-infected before being packaged for retail shelves.
I'm sure there is a long list of examples I'm unaware of but those are some of the cases where infection has happened long before consumer purchase let alone downloading.
