Looks like Python just had a left-pad like incident
twitter.comQuoting: "I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so"
A Python package in use enough to be flagged 'critical' could be earning a few hundred US dollars per month through Tidelift if the maintainers sign up. Which should more than compensate the 2FA overheads.
Does this really work? I assume only for popular JS, python or ruby packages, right?
I assume it needs to be popular, yes. I've assuming 'left-pad like' means popular, and may vastly overstating. I've been paid monthly for over a year now, but my package was top-20 by download count when that started.
Article says it was a mistake. Maybe post initial publication revision?