That’s also how the most damaging attacks on proprietary software work.

Yeah, supply chain attacks can happen. There was that infamous SolarWinds supply chain attack recently. But I think that there are some important mitigating factors there.

• Proprietary software companies -- unless they're using something open-source like xz upstream in their supply chain, as it's not just a "proprietary software world" and "open-source software world" -- tend to have someone's personal information if they're employed by them. They're not gonna hire and pay some random name who they know only as a GitHub account through a VPN, certainly not make them maintainer of their software.

• Many -- not all -- proprietary software companies mandate that employees work locally. I's likely that if I'm working for a US company, a person is also subject to US law enforcement. In contrast, if you have a state-backed group, they're probably targeting people elsewhere. Whoever the people from the Jia Tan group are, my guess is that it's good odds that they will probably aim to avoid being in a country that they are targeting. Even if we expose their identities, they probably aren't going to be directly-impacted by law enforcement. Open source projects hypothetically could do that, I suppose, but normally they're pretty border-agnostic.

That is, I think that this is going to be specially a challenge for the open-source world, as the attacks are targeting some things that the open-source community is notable for -- border-agnosticism, a relatively-low bar to join a project, and often not a lot of personal identity validation.

At some point all organizations need to trust their members and co-workers need to trust each other - I can’t think of a way to be more miserable at work than having to second guess everyone around you.

Yeah, that's kinda what I was thinking, but you put it more-frankly.

It seems like there's a lot of potential for this to be corrosive to the community.