[properparity]

I guess people have forgotten the lessons of 90s Windows: Don't download and run random .exe from the internet, assume they are hostile until proven otherwise.

Don't download, install and run random code libraries from the internet, assume they are hostile until proven otherwise.

[jbjohns]

I don't think that's really fair. Unity 3d and Vue.js are not random.exe.

[samhw]

I think their point might have been that Unity forgot that lesson. And everyone else, transitively, along the chain.

As horrible and impracticable as it sounds, the only way to prevent this happening is to read the source of every (/transitive) dependency you install. Yes, we can trust people, and yes, we can blame them when they betray our trust - we can even prosecute them - but as this shows, that's not always going to stop people. And it's certainly not going to stop attackers who gain control of those dependencies.

This is something we really need to think about as a profession. I would favour a system where dependencies are restricted to pure computation only (no syscalls) and any greater permissions must be granted explicitly. But that's extremely onerous, and likely - for many devs - to lead to a 'just click yes' mentality; even besides that, there are doubtless many cases it won't prevent. All I'm sure of is that we can't continue like this.