Supply chain attacks will become more common as it is the most efficient way to gather intelligence and infect a target. Herd immunity works both ways. If an app invades privacy, but is generally accepted by the masses then it will not suffer any consequences. Look at Facebook, for all of it’s data collecting, it took a congressional meeting and a whistleblower and even then they’re still operating. Good luck trying to get threat actors in front of a congressional meeting.
Similarly, open source software while generally good, can still suffer many of the same flaws and if not properly defined in scope can become what it was meant to destroy. Most software comes from a need for something: someone didn’t like this button here, too many privacy invading features there, etc. But just because it’s open source does not mean it’s best practice.
I’ve already said this about Chrome and Chromium. Especially since there’s basically no **mainstream** competition except for Firefox and Safari. People said “well the maintainer caught the malicious commit so it’s okay”. No! That’s not okay, find out how it got in in the first place and begin implementing a process to verify identity before allowing a commit to that critical portion of the project. You don’t allow people to write to your system unless they’re in sudoers, why are you allowing them to commit potentially malicious code? We got saved by one person, and if that person is having a bad day and makes a mistake, we’re all having a bad day.
I cannot stress it enough and it seems most people are lax about it. One of these days it’ll happen, and by then I hope all of y’all have made sure your companies insurance covers pretty much your entire portfolio that uses an open source library that’s gone bad. Always fork your own software for commercial use (within licence limits).