The thing doing the rounds this week is another npm package being quietly compromised: a popular dependency, briefly shipping a version with code that tried to lift credentials, pulled once people noticed. If you weren't directly affected you still spent ten minutes checking, because that's the nature of these. The blast radius is "anyone who ran npm install at the wrong moment", which is a very large number of people who did nothing wrong.
What gets me about this class of incident isn't the malicious code, it's how ordinary the attack surface is. Nobody broke a cipher. Someone got publish access to a package that thousands of projects pull in transitively, and that was enough. We've built a world where a single maintainer's npm credentials can reach into your CI pipeline, and most of us couldn't name the maintainers of our own dependency tree if you asked.
I went and looked at one of our package-lock.json files afterwards, properly, scrolling the whole thing. It's hundreds of packages I never chose. That's the deal we made for velocity, and mostly it works, right up until a week like this one reminds you the trust is implicit and unaudited.
I don't have a clever fix. Lockfiles help, pinning helps, npm audit helps a bit. But the honest takeaway is that "I trust this code" usually means "I trust that nobody has bothered to poison it yet". This week somebody bothered.