You can make things a bit better immediately by installing on outbound firewall like Little Snitch or Open Snitch.And then if you install a malicious package that phones home, you might get an alert.Of course this doesn&#x27;t guarantee anything, as the package might activate the malicious behavior only under some specific circumstances. But it also doesn&#x27;t cost anything. So it&#x27;s a small win in my book.Here&#x27;s how it works in practice:<a href="https:&#x2F;&#x2F;askubuntu.com&#x2F;questions&#x2F;1145649&#x2F;apt-strange-requests-to-d16r8ew072anqo-cloudfront-net80" rel="nofollow noreferrer">https:&#x2F;&#x2F;askubuntu.com&#x2F;questions&#x2F;1145649&#x2F;apt-strange-requests...</a>--note this part in the accepted answer:&gt; they are surprised that more people hadn&#x27;t noticed the behavior in the past.

There is another ongoing thread in HN here: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38641211">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38641211</a> with extra feedback.

I mean, I use NPM, but I&#x27;m making a small traffic news site with no APT enemies. If you&#x27;re making a wallet and think &quot;Yes, auto-updating dependencies sounds like a good idea,&quot; maybe you&#x27;re not very good at security?

Can anyone using the NPM ecosystem actually control their supply chain?  Personally, I feel that anyone using JavaScript doesn’t care about such things.  Because they can’t.  Or has the landscape changed?

(Replying to PARENT post)

(Replying to PARENT post)

(Replying to PARENT post)

(Replying to PARENT post)