The NPM ecosystem has been ripe for this kind of invasion over a decade. And I don’t want to make generalizations or throw shade at a whole class of people, but over the years I have met a lot of very complacent, very naive about security Node devs (some of whom have gotten very frustrated with me for raising concerns about the ecosystem being a ticking time bomb).

I’ve been expecting something like this for years.