This post is interesting, but it also commits the cardinal sin of supply chain security publicizing: it doesn't communicate the magnitude of impact, only the magnitude of malicious activity.
This is the same pattern that recurs with breathless reporting on malware in the NPM, PyPI, etc. ecosystems -- the fact that an actor has uploaded hundreds of malicious packages (repos, etc.) means very little if nobody actually downloaded or executed the code from those packages.
That isn't to say that that's what's happened here, but I think this post would be much better if it went beyond 2,400 malicious repositories and gave an indication of how many downstreams were actually affected.
It’s ultimately a numbers game. The more malicious seeds are planted, the higher the likelihood that one of them will be pulled into a real-world build pipeline. Platforms like GitHub, NPM, and other open repositories are ideal staging grounds because very few engineering organizations are willing to block traffic from them. That makes them near-perfect hiding spots for malicious content.
And the asymmetry is stark: attackers only need to succeed once. It takes just a single developer installing a compromised package to trigger a breach with potentially massive downstream consequences. So while I agree that quantifying impact is critical, dismissing large-scale seeding campaigns because “no one might have downloaded it” ignores the risk.
> The more malicious seeds are planted, the higher the likelihood that one of them will be pulled into a real-world build pipeline.
Sure, but you still need to show the impact. Not all "seeds" are equal; that's why we categorize attacks as either opportunistic or targeted (and within that, there's the kind of "lazy" opportunism of package spam versus "motivated" opportunism of trying to trick developers into using a specific compromised package).
(And to be clear, I'm not ignoring the risk here! I believe we can do better about qualifying the risk, which does exist.)
In a world where PR-focused organizations (not saying it's right or that's how it should be, but that 'it do be like it is') actively work to hide breaches on occasion? Should they not publicly success a win and support 'open source' while celebrating a dub, while giving them a sales tool / credibility?
This is the same pattern that recurs with breathless reporting on malware in the NPM, PyPI, etc. ecosystems -- the fact that an actor has uploaded hundreds of malicious packages (repos, etc.) means very little if nobody actually downloaded or executed the code from those packages.
That isn't to say that that's what's happened here, but I think this post would be much better if it went beyond 2,400 malicious repositories and gave an indication of how many downstreams were actually affected.