NPM debug and chalk packages compromised

Developer account got hijacked through phishing. @junon acknowledged this readily and is trying to get it sorted. Meanwhile, this is a mistake that can happen to anyone, especially under pressure. So no point in discussing the personal oversight.

So let me raise a different concern. This looks like an exploit for web browsers, where an average user (and most above average users) have no clue as to what's running underneath. And cryptocurrency and web3 aren't the only sensitive information that browsers handle. Meaning that similar exploits could arise targeting any of those. With millions of developers, someone is bound to repeat the same mistake sooner or later. And with some packages downloaded thousands of times per day, some CI/CD system will pull it in and publish it in production. This is a bigger problem than just a developer's oversight.

- How do the end user protect themselves at this point? Especially the average user?

- How do you prevent supply chain compromises like this?

- What about other language registries?

- What about other platforms? (binaries, JVM, etc?)

This isn't a rhetorical question. Please discuss the solutions that you use or are aware of.

> Meanwhile, this is a mistake that can happen to anyone, especially under pressure. So no point in discussing the personal oversight.

Unless this is a situation that could've been easily avoided with a password manager since the link was from a website not in your manager's database, so can't happen to anyone following security basics, and the point of discussing the oversight instead of just giving up is to increase the share of people who follow the basics?