The increasing use of open-source packages in application development also creates a path for threat groups that want to use the software supply chain as a backdoor to myriad targets that depend on it.