I think you can make a case that Node/NPM is more vulnerable to this than usual due to the huge number of packages pulled in by even simple applications. Can anybody really audit what 10k different packages are doing, and if any of them has had malicious code snuck in at some point?
It's not more vulnerable, it's as-vulnerable as any other package manager where anyone may upload code without sufficient review for people to blindly install and run.
We have already seen this abused in browser extensions being repurposed to inject advertising, in node and ruby modules being converted to malware, cryptocurrency miners being added to games on Steam etc. There was even a Nintendo Switch game that bundled a Ruby IDE, I believe iOS has had apps surreptitiously bundling other software too.
Powershell has a security model. Also, Ryan Dahl (creator of node.js) is working on Deno as a replacement because he thinks he made a mistake with node.
Interesting. You think he is making mistakes again? He complains about "second system syndrome." I've been using Deno for hobby projects and find a lot to like about it.
There's a bit more to it than that. The article touches on the fact that whats on npm doesn't have to match with what's on github (which is true for any package system that isn't 100% backed by source control).
