Source: Ars Technica
The shift from targeted supply chain attacks to mass contamination represents a change in threat model. When adversaries move from surgical strikes on specific projects to broad pollution of the commons, they're signaling both technical capability and a bet that defenders are overwhelmed—the economic equation has flipped where damage-per-effort now favors attackers. This forces a reckoning for the open source ecosystem's governance model: if the cost of verification exceeds the value of "free" dependencies, maintainers and enterprises face a choice between lockdown-heavy solutions or accepting a permanent baseline of compromise risk.