[dqv]

How is it a smart move? Here, Microsoft is training users to ignore a security warning. If the same mechanism were added to NPM (that is, a warning that the package is suspicious and for the user to be extra sure they want it), users would have been trained to ignore any security warning issued for the compromised axios version (just like they had ignored it for all previous "clean" versions) and installed it anyway.

[pooploop64]

It has certainly had that effect on me. When I heard that notepad++ was being flagged for something somewhere by someone, all I thought was "so they forgot to pay a protection fee?" Genuinely I thought it was being brought it up just as an indication that the developer may be absent or asleep at the wheel. There is literally no association in my brain between one of these warnings and the concept of software being compromised or not.

And I've seen other less tech inclined people click right through these without a moment's thought. They think it's just one of those things computers have to complain about.