@lupyuen Yeah, I saw another post about this...are companies really just pulling software direct from public repositories? I mean, your risk profile is your own, but it's not even that hard to set up an artifactory or nexus and block retrieval of your internal packages. This is a known thing. So, if your company gets hacked this way, it's kinda your own fault.