If you, as a threat actor, could embed your malware into a software module, that is then used by many innocent and unaware software developers in their packages, they release to the general public, wouldn’t you? That looks like a lot of infected machines for a small amount of work. This is the model that has been followed by many of a hacker. All they need is a way in, either a vulnerability in the software depository or why not try the good old phishing email and a bit of social engineering to get the less wary to reveal their passwords and usernames.
The community-run Python Package Index (PyPI), a repository for python code, has reported its first (known) phishing attack against its users, seeking to decieve them out of their credentials:
PyPI warns of first-ever phishing campaign against its users • The Register
Further Reading
Our trust in public code – UPDATED 24 May 2022 – Smart Thinking Solutions
Make sure policies and procedures cover your code or bespoke software you depend on is secure – this includes code on your website.
Do you want your team to recognise phishing emails and social engineering attack?
Have a looking at our training site over at CyberAwake:
CyberAwake | Cyber Security Experts and Awareness in Lincoln
Clive Catton MSc (Cyber Security) – by-line and other articles