The threat of supply chain attacks targeting open-source software (OSS) is escalating and requires a robust defense. Common types of attacks include typosquatting, where malicious packages are published with similar names to popular ones, and dependency confusion, where attackers find or guess package names in private repositories and pull in public packages instead. Maintainer-based threats also exist, such as hijacked credentials and good maintainers going rogue. Abandoned OSS projects pose a security risk due to unpatched vulnerabilities, which can range from low-severity issues to critical ones enabling Remote Code Execution. The infamous Log4Shell vulnerability highlights the threat of OSS vulnerabilities, with attacks often being easy to exploit and hard to detect. The Open Source Security Foundation's Secure Supply Chain Consumption Framework provides essential guidelines and best practices to mitigate these risks when consuming OSS.