Yes, and even more so now that we are vibe coding codebases with piles of random deps that nobody even bothers to look at.

You can mitigate it by fully containerizing your dev env, locking your deps, enabling security scans, and manually updating your deps on a lagging schedule.

Never use npm global deps, pretty much the worst thing you can do in this situation.