Poison open source supply chains

Attack tree

1 Create a new package (OR)
    1.1 Develop and publish package (AND)
    1.2 Distribute in dependency trees
        1.2.1 Use a name similar to existing package names (“typosquatting” or “combosquatting”) (OR)
        1.2.2 Reuse an identifier of a project, package, or user account withdrawn by its original maintainer (use after free)
2 Infect an existing package
    2.1 Inject in source (OR)
        2.1.1 Pull request as contributor
        2.1.2 Commit as administrator
   Capture credentials or tokens (OR)
   Social engineer
    2.2 Inject during build (OR)
        2.2.1 Compromise build system (MitM)
   Manipulate package download
   Run malicious build
    2.3 Inject in repository system
        2.3.1 Capture credentials or tokens (OR)
        2.3.2 Exploit vulnerabilities
        2.3.3 Deploy in a mirror repository