alt Hacker NewsThey can and do indeed detect those attacks, it's just from Microsoft's POV a feature of Microsoft Defender (on Windows and Cloud) they sell:
https://www.microsoft.com/en-us/security/blog/2025/12/09/sha...
https://azure.microsoft.com/en-us/pricing/details/defender-f...
So this is presumably why they will never address this in npm itself.
Maybe they should prove their shit works first.
What a wonderful marketing opportunity! Leave it to Microsoft to blindly ignore it.