These sorts of NPM worms have been around for a LONG time.It's typically due a common practice of low 2fa opt-in on NPM accounts.So be sure to setup NPM 2FA if you're a package maintainer do that asap!A lesser known NPM capability is that you can disable install time scripts. This may break some packages but its worth a try to see if your projects can work with out any install scripts. https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability#GitHub #NPM #Microsoft #Sha1Hulud #nodejs #javascript