Here's what we need to be thinking instead of getting defensive or extra-optimistic:
If high-end security firms and fairly diligent government agencies were infiltrated, why would we think that smaller dev toolchain organisations not founded as security organisations will somehow be less likely to be targeted and become a vector for introducing supply chain attacks. Sophisticated attackers will go after any soft underbelly or pore they can find, and there's no reason not to believe they'd put significant effort into quietly abusing Jetbrains security just like they did with Solarwinds. I'm less worried about the "Russian" red scare mention other than it may give non-US organizations a few more opportunities to inject badness that we can't get visibility on.
Bottom-line is that it would be the holy grail and are we treating it as the high priority target it is? Having worked for dev tool companies in the past, I know they are a lot more worried about innovation than about their own internal processes.
