How do we know the supposedly malicious content (which hasn't provably affected a single person) a security company finds, didn't originate from that same company?

Crates NO ONE uses or ever used.
"with over 7,000 all-time downloads" immediately mentioned to make it sound like the above is not the case.
Our "AI" found a malicious base64 (wow, very fancy)!
Muh supply chain!
bla bla China bla bla

It all sounds like a joke, and a lazily written one at that (Edit for fairness: the ctor part was a nice touch tbf).

And this is not limited to this analysis, or this company, or the Rust ecosystem. The era of CVE logos and all that theater can become rather tiring, and AI slop took the silliness to a whole other level. Or as our friend Daniel puts it, it's a "Death by a thousand slops".

[–] eah@programming.dev 3 points 1 week ago* (last edited 1 week ago)

The CEO of Socket is this guy. I'm not sure that someone with those credentials would be heading a company engaged in what basically amounts to racketeering. Though, I suppose he might be unaware it's happening. The company has many investors, any of who would benefit from creating an environment that supports the company's existence without the awareness of any of the employees. But it's clear this isn't some scam operation run by desperate people out of India, which was my first thought from reading your comment. There are reputable people with their reputations at stake. It would be a Theranos-level scandal if what you say was actually determined to be occurring. So, on the one hand, there are reputations at stake, and, on the other hand, Silicon Valley is not incapable of committing fraud.