Kudos for removing the nation from the title to neutralize the bait and keep it technical. I know this comment doesn't contribute much, just wanted to acknowledge the effort.
Code intake technique aside, in this case "typosquatting", the root of the problem is developers that are tasked with writing code choose instead just use others existing work without EVER reviewing nor understanding every line of that 'copied' code. While this code reuse technique has existed in many forms since the very first software languages were created the internet has just exacerbated the code sharing problem. As the world is coming to learn day after day that easy is not secure and if you copy code one better "trust but verify" however most people are just lazy. Here is a post I made 11 years ago and rest assured this "people are lazy" security compromise technique has been around a lot longer and will continue to prevail well into the future.<p><a href="https://www.codeproject.com/Articles/30803/A-R-Live-Support-XML-Based-Customer-Support-Chat-S?msg=3292739#xx3292739xx" rel="nofollow">https://www.codeproject.com/Articles/30803/A-R-Live-Support-...</a>
> The fact that developers have to explicitly write out which module to import in every file where they want to use an external package makes it less likely that any confusion can happen<p>Feels to me like they are joking.<p>When you have to type out the name in every single file you have a chance of making the mistake every single time you're typing it; while a centralised approach allows one to concentrate on the added import.<p>One of the vectors of attack using this library is to create a Merge Request that slightly changes the name of the import in one of the N files you are changing. Good luck spotting that as a reviewer.