I’m not surprised it took a while to hijack legitimate packages in the repositories, that seems like a much longer campaign would be required along with a higher degree of technical competence to chain together the required steps that led to getting malicious code into the project repos.

I am surprised that typo squatting hasn’t been a big issue like in NPM though, because you’re right. The victim users seem like they would trend younger and less cyber-aware, and things like family computers would probably have higher odds of being on all the time, or being shared with parents who also use the computer for banking etc.

Actually now that I’m thinking about it do families even have “family computers” anymore, or does everyone have their own device just like most families with smart phones/tablets? Nobody I know really has kids so I have absolutely no clue what the current trend on that kind of thing is. The few I do know are the kind of people that also have homelabs and Grafana servers to track their Tesla metrics and have maps of local weather radar and real-time driving tracks up on wall mounted displays in their family room or home office, so personal hand-me-down PC’s for the kids are pretty much the norm.