

But that’s not a supply chain attack. If projects or platforms are compromised and THEN their code is used by normal means of ingestion of said project, that would be a supply chain attack.
These are unofficial channels created as forks of existing projects in an attempt to fool users into using these instead.
Literally said they don’t want immutable.