Attacking Open Source Code on a Developer's Laptop

There's a couple different ways this can happen. An attacker could either push code directly to the repository or wait for that to get packaged up and sent it to Pi Pi. Depending on how users have their system set up, they pull down that update right away at the very next time they build and deploy. In a lot of these cases, you know, attack one developer and then that's used to laterally move to attack all people depending on that package.