> The stewards of each registry work very hard to keep them safe.
What kinds of things do they do? Any idea how this slipped through? Do you know what the review process entails before a plugin is made available for download?
They scan for known malicious code/vulnerabilities.
They work with security researchers to take appropriate action on reports.
They enforce CoC and ToS policy to any that abuse it.
They work with the community to address any unrest.
They continuously monitor for suspicious activity.
They respond to active security incidents.
They work across many security working groups to stay current on best practices, latest standards, newest initiatives.
As to your other questions, this isn't "slipping through". These registries act under a "trust but verify" model. It simply would not scale if they had to manually review all submissions akin to the app store(Zero trust). Most of these registries run on volunteers or small pizza teams.
Every single registry has similar challenges. PyPi just last weekend had to halt user sign-ups and uploads due to these abuses.
What kinds of things do they do? Any idea how this slipped through? Do you know what the review process entails before a plugin is made available for download?