Isn't this more like a "Macs don't have viruses" type scenario though?

The Node ecosystem happens to be more vulnerable for social and software design reasons, it's true. But people need to be aware that PyPI and Cargo et. al. are not in any fundamental way less vulnerable. This will happen there too.

"A well administered supply chain, being necessary to the freedom of an open internet, the right of the developers to keep and bear hundreds of uninspected transitive dependencies, shall not be infringed."

> Says Only Development Community Where This Regularly Happens

We've had such issues on other places as well... Shai-Hulud got into Maven [1] and PHP Composer [2], typosquatters got into Maven [3], and it's not new either [4].

No one is safe from skiddies, much less from nation state actors.

[1] https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spr...

[2] https://semgrep.dev/blog/2026/malicious-intercom-php-package...

[3] https://www.esecurityplanet.com/threats/malicious-jackson-lo...

[4] https://socket.dev/blog/malicious-maven-package-exfiltrates-...