Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.

Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.

How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?

All Composer packages (but the malicious part is in the node dependency)

Effected*

> Use effect as a noun to refer to a change resulting from something.