Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.
It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.
This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience
Agreed. I am more speaking of 'in general', for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other 'cheap' attacks like dependency confusion, typo squatting etc.
What about finding someone like this and then blackmailing them?
Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.
It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.
This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience
Agreed. I am more speaking of 'in general', for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other 'cheap' attacks like dependency confusion, typo squatting etc.
What about finding someone like this and then blackmailing them?
That would be cheaper
https://xkcd.com/538/
Lol, too true. It's either that or honeytraps