Protecting open source software from supply chain attacks remains a challenge.