Malicious code is everywhere. They can also infect a website, server, even in a WordPress theme. It could be a trojans, botnets, even more dangerous, a backdoor / webshell. So it’s very important to do a routine scan on your WordPress themes, especially if you get them from unknown sources (nulled?).
Here is a plugins review which can help you to check a WordPress for Malicious code.