xz has dozens of contributors and two active maintainers. It was the actual example I was thinking of. The code was submitted by a third party and not a result of a developer machine compromise.
left pad wasn't a security incident. It was a capitalism incident.
Are those the ones typically involved in supply chain attacks?
There are no perfect solutions; but, let's be reasonable.
Actually, yes, they are the prime targets: https://en.wikipedia.org/wiki/Npm_left-pad_incident or seemingly https://en.wikipedia.org/wiki/XZ_Utils_backdoor as well.
xz has dozens of contributors and two active maintainers. It was the actual example I was thinking of. The code was submitted by a third party and not a result of a developer machine compromise.
left pad wasn't a security incident. It was a capitalism incident.