Exactly, you are trusting an OS or library which could very much be maliciously interfered with.

I would be willing to bet attacks on linux upstream libraries are already happening in the same way as the js ecosystem.

Hm... if you use something like Debian it's quite difficult to get your package installed in the distro. People do review everything that goes in. I find it incredibly silly to compare something like that to npm, where every kid has dozens of packages installed that anyone using npm can end up downloading and no one is really reviewing anything.

I agree one is more difficult than the other, but I feel the principal is the same. Whilst anything is built using other modules, there is always risk those modules will be compromised.

What makes you think that this is the case?

And yeah I'm trusting my OS (Linux) and the libraries that is in their repository.

We could go deeper than that. What about hardware? None of it is open source.

Where does it end? What can we do about it?

This is why Huwawei equipment was disallowed to be part of Western Europes 5g rollout.

https://www.euronews.com/next/2024/08/12/eleven-eu-countries...

What can we do about it indeed!? I guess its either fully digitally detox or accept the fact that if you use modern technology then somebody is watyching what you do.