The package might not ever be executed on the user's machine. Depending on your setup, it might only be ran on a server, where the data that can be exfiltrated is completely different.
replyWhy you are downloading code if you're not even using it to run tests ?
replyAnd if you run tests in CI/CD, or in a container, why you are downloading code locally ? Only thing that comes to mind is code completion but surely most people at least run unit tests locally before pushing the code out ?
Sure but like.. come on. Is that really a defense? Most packages are run on devs machines. And it's not like "Oh it's just running on my production server, what could go wrong there" is any better.
replyWe should not dismiss that it is slightly better. Production servers vary rarely have creds to the source repository nor to other production servers running possibly more sensitive code where investing in a smaller supply chain was justified.
replyYou can't even install the package without running arbitrary code, that's quite different from most other package managers for languages.
replyOne malicious script that is run right after install vs one per each API entry point that might be called or not (transitive dependency).
reply[dead]
reply