@bagder That number probably came from the episode with Brian Fox from Sonatype. 700K was the number of malicious packages :)
I like to look at the data from @ecosystems
They are tracking 10 million open source projects, 2.7 million of those published something in the last year
Of those 2.7 million
About 20,000 have more than one million downloads
Which is still a pretty wild number. And the Ecosyste.ms data doesn't have download numbers for everything, so there are generous error bars
https://infosec.exchange/@joshbressers/113600810291302610
@joshbressers @ecosystems OpenSSF's criticality score project currently ranks 561,454 projects ...
────
────