Yeah but supply chain attacks like that can hit literally anything. Debian repos, Play store, an individual publishing on his own website, it's all vulnerable.