From <https://www.theregister.com/2020/09/04/disclosure_developer_targeting/>: ... much of it is down to exploiting the trust developers put into shared code and software stacks. By selecting a developer and studying their projects, an attacker would be able to map out the software stack being used. From there, the attacker would pick out a weak spot in that stack – say, a dependency or GitHub project – and slip poisoned code in. This could be as simple as slipping attack code into StackOverflow. ... "Most developers consider themselves to be moderately intelligent but not stupid," mused Jones. "I have found most developers are highly intelligent, but also highly stupid."