The phrase "supply chain attack" makes it sound like it's some big, hard to avoid problem. But almost always, it's just developer negligence:
1. Developer allows some organization to inject arbitrary code in the developer's system
2. Organization injects malicious code
3. Developer acts all surprised and calls it an "attack"
Maybe don't trust 3rd parties so much? There's technical means to avoid it.
Calling this situation a supply chain attack is like saying you were victim of a "ethanol consumption attack" when you get drunk from drinking too many beers.
It's called a supply chain attack to displace the blame on the profitable organization that negligently uses this code onto the unpaid developers who lost control of it.
As if expecting lone OSS developers that you don't donate any money towards somehow being able to stand up against the attacks of nation states is a rational position to take.
In this case, the developer sold the user account & repository for money (no ownership change to monitor).. so if you were not privy to that transaction, you really couldn't "easily" avoid this without e.g. forking every repo you depend on and bringing it in house or some other likely painful defense mechanism to implement
That’s why businesses pay Redhat, Qt, Unity,… Clear contracts that reduces the risk of compromised dependencies. Or you vet your dependencies (it helps when you don’t have a lot)
What good does this comment do beside allow you to gloat and put others down? Like, Christ. Are you telling me that you’d ever speak this way to someone in person?
I have no doubt that every single person in this thread understands what a supply chain attack is.
You are arguing over semantics in an incredibly naive way. Trust relationships exist both in business and in society generally. It’s worth calling out attacks against trust relationships as what they are: attacks.
1. Developer allows some organization to inject arbitrary code in the developer's system
2. Organization injects malicious code
3. Developer acts all surprised and calls it an "attack"
Maybe don't trust 3rd parties so much? There's technical means to avoid it.
Calling this situation a supply chain attack is like saying you were victim of a "ethanol consumption attack" when you get drunk from drinking too many beers.