JavaScript is the most popular language and runs not just websites that handle private credentials but also on the desktop via frameworks like Electron or Tauri, and npm happens to be the biggest package registry for JavaScript.
So it is just one of the most lucrative targets for bad actors, since you get the benefit of infecting end users, developers, companies, websites, servers, and more in just one good hack.
Also up until very recently the most popular JS framework Node didn’t have permission controls, meaning any installed library had the same privileges as the user running the program.
JavaScript is the most popular language and runs not just websites that handle private credentials but also on the desktop via frameworks like Electron or Tauri, and npm happens to be the biggest package registry for JavaScript.
So it is just one of the most lucrative targets for bad actors, since you get the benefit of infecting end users, developers, companies, websites, servers, and more in just one good hack.
Also up until very recently the most popular JS framework Node didn’t have permission controls, meaning any installed library had the same privileges as the user running the program.