Most companies and their vendor ecosystems run on OSS

Worse, "attackers no longer break in, they log in", so the supply chain attacks harvesting credentials have been frightening