I noticed that quite a few pods have more than 1 distinct source when checking the pods used by projects I have worked on. From what I could see source changes were the result of ownership changes, GitHub account name changes, etc.
So i'm not sure how to distinguish malicious source changes from innocuous ones. Maybe it would be worthwhile to search for source changes that lasted a single release and reverted thereafter.
I noticed that quite a few pods have more than 1 distinct source when checking the pods used by projects I have worked on. From what I could see source changes were the result of ownership changes, GitHub account name changes, etc.
So i'm not sure how to distinguish malicious source changes from innocuous ones. Maybe it would be worthwhile to search for source changes that lasted a single release and reverted thereafter.