Do you know how this is defended in corporate js development environments nowadays? Private package repo?

really interesting! i know hindsight is 20/20 but seems like a gaping large security hole for sure.