Yes... The only things I use from the JS ecosystem are {Claude,gemini}-cli which I fear will be compromised. Fortunately I run in them in their own user accounts with no e.g. ssh credentials, but I dead that's not enough especially for Gemini which probably has access to my entire Google account somehow.

Given general software quality of the js ecosystem, the proliferation of supply chain attacks was just matter of time. I’m curious how other ecosystems will hold (eg Rust)

Same. At this point I just started using virtual machines for any project that pulls in packages from outside Linux distribution repositories.