Open source software is a prime target for supply chain attacks, and protecting open source software remains a challenge.