[ktRolster]

The article suggests this:

  >
  >As a user who owns modules you should not stay logged into npm. (Easily enough, npm logout and npmlogin)
  >Use npm shrinkwrap to lock down your dependencies
  >Use npminstall someModule --ignore-scripts
  >

I would add to toss a glance at the libraries you import every once in a while. Just to make sure they look sane.

[u223344]

--ignore-scripts won't help much. The act of using any npm module means you implicitly trust all the javascript code in the module and any of its dependencies. Has anyone taken the time to inspect every line of the dozens of modules that many common packages pull in? Not likely.