Microsoft said that the threat group has used phishing and password-spraying attacks to compromise at least 14 IT service providers this year.
GitHub has eliminated support for passwords for Git operations and now requires the use of a hardware security key or other strong 2FA option.
At Black Hat, Matt Tait of Corellium said the supply chain security problem may get far worse if platform providers don't step in to address it.
The attack on Kaseya VSA servers that led to REvil ransomware deployments has affected nearly 1,500 companies so far.
Improving the security of the open source software supply chain will require better understanding of dependencies, and cooperation from developers and users.