A developer uncovered a deceptive order page that loads a script from the trusted jsdelivr.net CDN to exfiltrate user credentials to a .ge domain. This incident highlights growing risks in open-source supply chains and sparks debate on the efficacy of reporting such threats versus independent probing.