Do people really believe that JetBrains software might be compromised?

Question

I am just a reasonably satisfied customer of JetBrains. Their products are the best options, and their willingness to fix bugs is admirable. In the past 24 hours, I have seen several (about 5 or so) posts to twitter and other chat channels in response to the NYT article https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html asking questions like "It's unclear to me if I should uninstall PyCharm.".JetBrains response is here https://blog.jetbrains.com/blog/2021/01/06/statement-on-the-story-from-the-new-york-times-regarding-jetbrains-and-solarwinds/Are people really concerned that this is a credible threat?

zn44 · Accepted Answer

I'd assume most of the people posting this happily instal random packages from npm without second thought.Surely it can be a potential threat but in most case there is a VERY long list of things you need to secure before it's reasonable to worry about your IDE

hctaw · Answer

We know that the build and release infrastructure for SolarWinds was compromised to distribute malware signed with their keys. What we don't know is who or what was responsible. In the sense that JetBrains is in the supply chain and that supply chain was ultimately compromised, the threat is absolutely credible.
Other credible threats include every human who touched or has the ability to touch the configuration of their Team City pipelines.
However, the Times journalists should get some facts straight before flinging libel around. There are millions of JetBrains users for a wide variety of products. They're implicating all these products, and that doesn't seem to be appropriate. Breaking a text editor or IDE to introduce this class of attack seems unlikely, and much more prone to discovery.
Personally, everything about this smells like an inside job (or gross incompetence).