Installing npm packages feels like playing russian roulette these days. This is 100x times worse than the other attack.

Time for a new NPM / package registry using nostr keys? And integrating split payments as well! (which @getalby already has working I think).

So it sounds like it isn't just a supply chain attack anymore-- It's a Trojan horse via supply chain that can replicate. Reminds me of early 2000's viruses.