Over the past 15 months a series of high-profile backdoors, worms and trojans have compromised thousands of npm, PyPI and other open-source packages, exposing millions of downstream projects to remote access, data wiping and credential theft. The article traces incidents from the xz-utils backdoor to self-propagating npm worms, explains how deep dependency trees magnify risk, and outlines immediate steps—pinning versions, auditing dependencies and funding maintainers—to stem the threat.