Is there something about Elixir that makes this surprising? Otherwise, the insight that code that forms part of an application has access to the application state is not exactly very deep.
Plug: I've been building Packj [1] to detect dummy, malicious, abandoned, typo-squatting, and other "risky" packages. It carries out static/dynamic/metadata analysis and scans for 40+ attributes such as num funcs/files, spawning of shell, use of SSH keys, network communication, use of decode+eval, mismatch of GitHub code vs packaged code (provenance), change in APIs across versions, etc. to flag risky packages.
in any language
The subject matter and title unfairly single-out Elixir.
This is an important thing to be aware of, but this is not unique to Elixir, and the article title does not mention Elixir specifically although the example shown is in Elixir. If you are not careful about your dependency chain, attacks like this could happen in any language. When you pull code in and run it in your app, you are trusting it as if you wrote it yourself.