As SolarWinds showed, this type of attack isn’t limited to open-source projects. But in the past few years, we’ve seen several stories where big companies have had their security put at risk thanks to dependencies. There are ways to mitigate this sort of attack vector — Google itself has begun vetting and distributing a subset of popular open-source programs, but it’s almost impossible to check over all the code a project uses. Incentivizing the community to check through dependencies and first-party code helps Google cast a wider net.
Read more of this story at Slashdot.