Agree & I wonder how the dialog would be different if we spoke about a demand funnel rather than a supply chain.
“We’ve learned that we know much less about the integrity of our software systems than we thought. We’ve learned that supply chain attacks on open source software can start very far upstream—indeed, at the stream’s source.”
https://www.oreilly.com/radar/attacking-supply-chains-at-the-source/