Supply-chain attacks on open source software are getting out of hand