• the programmer is an engineer with a low qualification level who can’t detect scams.

    The author of the article doesn’t appear to understand that confidence games don’t depend on how skilled someone is in their field; they are usually a statistical attack depending on a small percentage of any population being credulous about any offer at any given time.

    The only way to defend against these scams is defense in depth, via publishing requirements, policies, policy review, code review and security testing.

    I should also point out that OSS has come under heavy attack recently with attackers leveraging the dependency chain to trick OSS developers into installing malicious libraries that look a lot like the legitimate versions. Often they create developer identities on GitHub, create a single legitimate project, and do some legitimate commits to a range of other projects. Then they stand up another account and use it to create trojanized libraries, and then switch their now popular project to use the malicious libraries. In some cases, their popular project is a library itself, so every project with dependencies on that library automatically inherits its malicious dependency.

    These days, assume that code is likely compromised no matter where it’s from, and do your reviews and testing and set your policies accordingly.