(no title)

Mitigate? Stop using random packages. Prevent? Stop using NPM and similar package ecosystems altogether.

Review and vendor your dependencies like it’s 1999.

Are many of the packages obfuscated? Seems like here the server url was heavily obfuscated and encrypted, that is a big warning flag is it not. Auto scanning a submitted package and flagging off obfuscated / binary payloads / install scripts for further inspection could help. Am wondering how such packages get automatically promoted for distribution ..

If you have to run it regardless, contain it as good as you could, given the potential impact. If you're not using the same machine for anything else, maybe "good riddance" is the way to go? Otherwise try to sandbox it, understanding the tradeoffs and (still) risks. Easiest for now is just run everything in rootless podman containers (or similar), which is relatively easy. Otherwise VMs, or other machines. All depends on what effort you feel is worth it, so really what it is your are protecting.

Yes, and even more so now that we are vibe coding codebases with piles of random deps that nobody even bothers to look at.

You can mitigate it by fully containerizing your dev env, locking your deps, enabling security scans, and manually updating your deps on a lagging schedule.

Never use npm global deps, pretty much the worst thing you can do in this situation.

use dependabot with cooldown.