It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
The safest approach is just do not run it as root. There is no need to do that anyway.
Which you can just restore from the system that is still functional. If the whole disk is wiped, then you are hosed without an external backup.