How _lucky_ that github itself was the subject of the attack in npm.
Unless I'm missing something, this attack could have gone unnoticed for a long time (it would be hard for someone to connect a random breach in their infrastructure to an oauth intrusion affecting two of their service providers).
It's an interesting point, but I'm wondering how to unpack it.
"If Twitter was open... a dozen people innovating on it..."
Though not 100% independent of their funding model (loss-aversion bias might lead us to conclude that big companies take less risk), presumably Twitter has at least a dozen people trying to innovate on it?
They may not be doing what [parts of] the community wants, but that's not quite the same thing as not innovating.
Unless I'm missing something, this attack could have gone unnoticed for a long time (it would be hard for someone to connect a random breach in their infrastructure to an oauth intrusion affecting two of their service providers).