Supply chain attacks on developer tools are getting more sophisticated. This hits every project using these plugins.
The scary part is how long malicious packages can sit undetected. Your CI/CD pipeline could be compromised for months before anyone notices.
This is why I always say to scan all dependencies in your compliance checks - not just for known vulnerabilities, but for unexpected changes in package behavior. When a routine update starts making network calls it never made before, that's a red flag.