Early cases were easy to dismiss as crude, noisy, or niche. Then, smaller attacks repeated the same mechanics. Then came campaigns that propagated automatically, blended into normal development workflows, and iterated over time. At some point, it stopped making sense to talk about individual attacks.

This talk is about how we got there and why worms became possible without exploiting anything that was technically broken. It traces the evolution of supply-chain attacks from early warning signs to self-propagating campaigns, and shows how changes in speed, automation, and reuse quietly changed the security properties of the open-source ecosystem. Code now goes from publication to execution almost instantly. Trust is inherited transitively through dependency graphs and tooling. Responsibility, meanwhile, remains local and slow.

The talk closes by arguing that many supply-chain problems no longer fit a prevention-first mindset. At the ecosystem scale, security stops being just a tooling problem and becomes a design problem. Worms didn’t change open source. They showed us how it already works.