Its not questhelper that is the issue, its the site they are obtaining it from.
WoWInterface and Curseforge seem to be doing a good job at keeping the "issues" out these days.
Just be prudent about scanning the file before unzipping it, and above all else, dont run any .exe included in any addons.

For the 10000000000000000000000000th time mods cant do that.

The lua engine starts AFTER you log in which is AFTER your password has been removed from memory. There is also no way for a mod to interact with any form of network communication so it can't send your password to anyone.

MODS use LUA script the only thing they can do is what wow lets them do and installing themselves as a system application or copying your password is not one of those things.

Any mod that has an installer application is subject to scrutiny because the installer not the mod could contain a virus. As long as you are getting your mods from a reputable place like curse, wowace, or wowinterface you will be fine.

Ok I had to post again just because the 2nd part of the post is ridiculous too.

How would a 'hacker' target you next based on your characters name? Is it your username? Do you share a computer with the guy that got hacked? Does the guy who got hacked know your username and password?

The chances of seeing who is GM is 100%. There is this little website called wowarmory.com that gives anyone that information.

/facepalm

for god' sake, read this thread in his entirety :

http://www.wowhead.com/?forums&topic=54991

No, QH isn't the cause of the recent hacking of your unfortunate friends.