[aftbit]

Yeah supply chain stuff is scary and still very open. This ranges from the easy stuff like typo-squatting pip packages or hacktavists changing their npm packages to wreck all computers in Russia up to the advanced backdoors like the xz hack.

Another big still mostly open category is speculative execution data leaks or other "abstraction breaks" like Rowhammer.

At least in theory things like Passkeys and ubiquitous password manager use should eventually start to cut down on simple phishing attacks.