yeah i mean this is a tough problem. unless you work for a government contractor where they have strict security policies, most devs are just going to run npm install without a second thought as there are a lot of packages.

i dont know what the solution here is other than stop using npm

Every docker image specified in a k8s yml or docker-compose file or github action that doesn’t end in :sha256@<hash> (ie specifying a label) is one “docker push” away from a compromise, given that tags/labels are not cryptographically specified. You’re just trusting DockerHub and the publisher (or anyone with their creds) to not rug you.

The industry runs on a lot more unexamined trust than people think.

They’re deployed automatically by machine, which definitionally can’t even give it a second thought. The upstream trust is literally specified in code, to be reused constantly automatically. You could get owned in your sleep without doing anything just because a publisher got phished one day.

It's also hyperbole

It's terrifying because it's true for a majority of developers.