[rs999gti]

> supply chain attacks

You all really need to stop using this term when it comes to OSS. Supply chain implies a relationship, none of these companies or developers have a relationship with the creators other than including their packages.

Call it something like "free code attacks" or "hobbyist code attacks."

[shermantanktop]

“code I picked up off the side of the road”

“code I somehow took a dependency on when copying bits of someone’s package.json file”

“code which showed up in my lock file and I still don’t know how it got there”

[orbital-decay]

All of which is true for far too many projects

[__alexs]

I know CrowdStrike have a pretty bad reputation but calling them hobbyists is a bit rude.

[cobbal]

I'm sure no offense was intended to hobbyists, but it was indeed rude

[pixl97]

A supply chain can have hobbyists, there's no particular definition that says everyone involved must be a professional registered business.