LMAO. The NodeJS/NPM ecosystem is hot garbage and I don't miss it:

"Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats."

https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html?m=1