Risk vector: Package managers like npm, pip, Maven, and Go modules all enable pulling dependencies directly from GitHub repositories instead of official registries. Related:Phishers Pose as Palo Alto ...