npm's Defaults Are Bad

Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js, and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conversation always goes the same way: was the maintainer using MFA, should the registry have caught it faster, should people be running more scanners. None of that gets at why JavaScript keeps having these incidents at a rate no other ecosystem comes close to matching. The npm client’s defaults actively enable the attacks and have done for years.