It isn't victim blaming. People like you make it impossible to avoid attacks like these because you have no appetite for a better security model.

I run npm under bubblewrap because npm has a culture of high risk; of using too many dependencies from untrusted authors. But being scrupulous and responsible is a cost I pay with my time and attention. But it is important because if I run some untrusted code and am compromised it can affect others.

But that is challenging when every time some exploit rolls around people, like you, brush it off as "unlucky". As if to say it's inavoidable. That nobody can be expected to be responsible for the libraries they use because that is too hard or whatever. You simply lack the appetite for good hygene and it makes it harder for the minority of us who care about how our actions affect others.

>it's their own fault for not reading all the code beforehand or for using a package manager, when every single person does the same.

But like, isn't that actually the core of the problem? People choose to blindly trust some random 3rd parties - isn't exploiting this trust seems to be inevitable and predictable outcome?

>it's just victim blaming

Victim-blaming is when a girl gets raped and you tell her that it's her fault for dressing like a skank and getting drunk at a college fraternity party. Telling the bank they should have put the money in a vault instead of leaving it in an unlocked drawer next to the cash register is not victim-blaming. Telling the CIA that they shouldn't have given Osama Bin-Laden guns and money to fight the soviets in afghanistan is not victim-blaming. Telling president Roosevelt it was a poor decision to park the entire Pacific fleet in a poorly-defended naval base adjacent to an expansionist empire which is already at war with most of America's allies is not victim-blaming. *Telling a well-funded corporation to not download and execute third-party code with privileges is not victim blaming, especially as their customers are often the ones who are actually being targeted.*

>I bet the commenter also has installed pip or npm packages without reading its full code

I think i did use pip at some point about a decade ago but i can't remember what for. In general though you lose that bet because I don't use either of these programs.

> it just feels cool to tell other people they are dumb

it does, yes.

>and it's their own fault for not reading all the code beforehand or for using a package manager, when every single person does the same.

I don't suppose you've ever played an old video game called "Lemmings"?

>Some just are unlucky.

Lol.

>The whole ecosystem is broken, the expectations of trust are not compatible with the current amount of attacks.

that's kind of my point, except it doesn't mitigate responsibility for participating in that ecosystem.