> This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.<p>> Looks like this got caught by chance. Wonder how long it would have taken otherwise.<p>The IT world is lost in the fantasy that automation is the Way - there are no alternatives, nothing else exists - to scale everything including content moderation, customer service (e.g., from Google, etc.), code review, etc. If it can't be automated, they say 'it can't be done' as if there is no alternative.<p>It can be done, but it's more expensive and we'll need to pay people. Automation isn't the Way for everything. Our security, code review, etc. are awful.