All code you install to your machine. System packages, Python packages in virtualenvs, scripts.
I don't keep important private keys in my .ssh folder. Well, it's just security by obscurity. An educated, determined attacker would find them. But
some random malicious code would not immediately find them.
The main issue here is that in the JavaScript ecosystem there is this trend of using external dependencies for everything, regardless of size (i.e., leftpad), and trusting forward versions blindly. Security in npm / JS / node_modules ecosystem is quite reactive, instead of active.
If there is a bad actor that releases a widely using dependency, for sure it's going to be gone from npm quite fast most of the time! However, it'll take some time for it to get noticed, and people will invariably get affected.
You shouldn't bring an open honeypot to a place where bears can attack you easily, right?
If you remove the "regardless of size" part, you'll be describing any modern language dependency system.
And most of them also execute external code on module importation... what I'm not sure if it's even relevant, because you will run the module at some point anyway.
So, yeah, JS makes the problem one or two orders of magnitude larger. But the problem is still there, whether you use npm or avoid it.
