Hackers are rational actors; they want to accomplish their goals using the least amount of effort possible. Attacking proprietary applications can be hard work. Hackers need to conduct research – ideally by obtaining a copy of the software – then attempt to find weaknesses they can exploit.  

After years of attacking networks and custom software, enterprising hackers found an easier attack vector and switched to attacking the application development process itself.  Even better, attackers need not break into an organization’s source repository.  Instead, they simply add their malicious code to common open source projects used by organizations and wait for the developers to add the code to proprietary applications themselves.