> Says Only Development Community Where This Regularly Happens

We've had such issues on other places as well... Shai-Hulud got into Maven [1] and PHP Composer [2], typosquatters got into Maven [3], and it's not new either [4].

No one is safe from skiddies, much less from nation state actors.

[1] https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spr...

[2] https://semgrep.dev/blog/2026/malicious-intercom-php-package...

[3] https://www.esecurityplanet.com/threats/malicious-jackson-lo...

[4] https://socket.dev/blog/malicious-maven-package-exfiltrates-...