Nothing to do with nom itself. This sort of scam would have worked with many different technologies, even a Makefile.

fyi npm 12 will have securer defaults https://github.blog/changelog/2026-06-09-upcoming-breaking-c... but it will be a while for ecosystem to catch up and npm reputation already damaged

How does npm differ from any other package manager in that sense?

Because uh every OS on earth has the exact same vulnerabilities? How are you supposed to stop a user from downloading something random from the internet and running it?

npm is hard to avoid, as other ecosystems have integrated it as a cross-platform build/installer script bootstrap.

Indeed, all things nodejs are usually a dumpster fire at a hair salon, but the real point here was people always inherit whatever the previous cheapest labor built at that office. Also, usually people don't get to make architectural decisions for a long time. =3