PlatformIO seems to be the npm or pip of embedded development. While it offers convenient installation of toolchains and their dependencies, I fear it could enable the same software supply chain attacks that have tarnished npm/pip. I would really like to better understand the security posture of the PatformIO registry.