I don't think computer people really realize just how little (relevant) malicious code actually exists on the anyone-can-upload package registries, and folks seem to consistently overestimate the actual threat level here
@joepie91 do you count things like Google Play Store as package registries? Because that would change the numbers a fair bit :p
(I assume you don't; this is a joke)
