Malicious versions of Nx and some supporting plugins were published

I'm afraid that open source software supply chain attacks could be much more prevalent than what we are currently aware of. There is a significant market for zero-day exploits, with organizations like the NSA having teams dedicated to collecting and weaponizing them. But finding and exploiting an unintentional zero-day vulnerability is way more difficult than adding an intentional exploitable bug or backdoor to some of the myriad widely used open source dependencies. Of course, if you do it right, you don't land on the HN front page.

Every time one of these comes up, I have similar thoughts. A threat actor is in the position to pull off a large-scale supply chain compromise, and the best thing you can think of to do with that is also the thing that will guarantee you are discovered immediately? Mine crypto on the damn CPU, or publicly post the victim's credentials to their own GitHub account?

On one hand, I cannot accept that the actors that we see who pull these off are the best and brightest. My gut tells me that these attacks must be happening in more subtle ways from time to time. Maybe they're more targeted, maybe they're not but just have more subtle exfil mechanisms.

On the other, well we have exactly one data point of an attempt at a more subtle attack. And it was thwarted right before it started to see wide-spread distribution.

But also there was a significant amount of luck involved. And what if it hadn't been discovered? We'd still have zero data points, but some unknown actor would possess an SSH skeleton key.

So I don't know what to think.