All of these attacks on language supply chains have me increasingly convinced that, at the very least, some sort of lightweight formal verification that "this package isn't doing anything obviously sketchy" is necessary. One promising avenue for this is something like Safe Haskell ( <a href="https://downloads.haskell.org/~ghc/7.8.4/docs/html/users_guide/safe-haskell.html" rel="nofollow">https://downloads.haskell.org/~ghc/7.8.4/docs/html/users_gui...</a> ), which proves during compilation that a library function like<p><pre><code> sign :: Privkey -> Message -> Signature
</code></pre>
can't steal your private key and ship it off to some scammer. (Because sending your private key to a scammer requires network IO, and the type of this function implies it doesn't do network IO, and Safe Haskell guarantees that it doesn't use any "backdoors" to do IO.) It's not perfect, but it's a pretty good start in the right direction.