alt Hacker NewsThe problem is that package managers are a distraction. You have to sandbox everything or else it doesn't work. These attacks use post-install hooks for convenience but nothing would have stopped them patching axios itself and just waiting for devs to run the app on their local workstation. So you end up needing to develop in a fully sandboxed environment.
Yeah the whole rush on "post-run hooks bad" isn't really adding all that much to security.
Like congratulations, your dev was compromised whole 10 minutes later after he ran code.