This stuff has been going on since at least the middle 2000s with the Debian APT repository getting popped by dikline, installing a backdoored ssh daemon and notifying a remote server when ruby was downloaded and installed.
An activist released several updates to a popular nodejs repository he helps run, which gets about 1 million downloads a week. RIAevangelist thought he could help the current situation in Eastern Europe by wiping all files on disk by renaming them all with a [heart] icon if a web service reported they were geolocated in Russia or Belarus.
He quickly had his Twitter account compromised and had docs dropped on him, alleging infidelity to his Japanese wife, along with other personal and family details and a message from the hacker to not mess around with things bigger than him.
Companies and open source projects around the world are concerned with such behavior as this is, yet again, another example of massive supply chain dependencies in our software world which are taken for granted. All you need is one bad actor to potentially bring your business or community down.
Some companies may be paranoid and resourceful enough to maintain their own repositories if they were not already doing so. Otherwise they will continue to trust the devil they don’t know.
This is a potentially big blow for the open source community and high level interpreted languages everywhere.
Trust is paramount to business.