There were a few mishaps with PyPI and npm - including in the past week and even today. Not sure if those meet your criteria of FLOSS, but if it does I wouldn't call it solved.

Yeah but supply chain attacks like that can hit literally anything. Debian repos, Play store, an individual publishing on his own website, it's all vulnerable.