zlacker

Why wouldn't those also become a target, if they would grow to be sizable?

And if they have prevention mechanisms, why can't existing supply chains be secured with similar prevention mechanisms, instead of funneling to a single package manager provider?

>>chii+(OP)
The supply chain for Notepad++ updates was a PHP script on a shared hosting account pointing to the URL of an executable file.

Surely someone with more resources and more sets of eyes could do better than that? AFAIK nobody has compromised Debian's APT repositories and Red Hat's RPM repositories yet.