So if I understand the article correctly, the malicious .exe file was disguised using a Unicode right-to-left override (RTLO) attack?

Correct.

> Generally, it’s a good idea not to blindly install NPM packages.

Given the nature of npm that is pretty hard to avoid.

Transitive dependencies, yeah, but top-level dependencies that you are installing with npm i or via your manifest file are areas that you do control and can manage.

Very interesting read, very impressive. With GitHub’s new feature of custom repository properties it can be so easy to implement a confirmation mechanism between a repository and an npm package, but I guess it could have implemented with other means long time ago.

Thanks! Lots of tooling out there, but not much uptake. I mean, npm itself has better, more secure alternatives, but is still the most popular registry on the planet. Like, wtf?!

wow, it ain't pretty!