Comment by keyle

2FA is the first steps is stopping the onslaught.

But it still doesn't stop infected developer machines to silently update code and wait for the next release patiently.

It would require the diligence of those developers to check every line of code that goes out with a release... which is a lot to ask for someone who fell for a fishing email.