Well, isn't proper authentication a solution in and of itself? Using keys with pass phrases or requiring sudo to publish would theoretically mitigate this issue.
No, because it can just sit in the background and wait until you type your passphrase at some point. As soon as you run malicious code, it’s all over; no workarounds.
It would be nice if npm didn’t run arbitrary install scripts by default…
It would be nice if npm didn’t run arbitrary install scripts by default…