[direct link](https://hackread.com/) The last time this attack showed up I thought the only way to prevent it was to switch to Deno and have that install your npm packages because it runs JavaScript in a container by default. I found another way. Use the `--ignore-scripts` flag when you are installing packages. This malware is delivered by package pre and post install scripts. Most people don’t run any JavaScript on their own machine other than maybe Webpack, so none of the other code in npm packages will affect them. 98% of npm packages don’t have a pre or post install script, so it’s likely you don’t need to enable them. There are also ways to run them only on specific packages. You can disable scripts on the command line, or in your npm config. On the command line: ```bash npm install --ignore-scripts ``` or: ```bash npm install --ignore-scripts PACKAGE_NAME ``` In your npm config (`~/.npmrc`, or `.npmrc` in your project directory): ```dosini ignore-scripts = true ``` Here is a [full article](https://www.nodejs-security.com/blog/npm-ignore-scripts-best-practices-as-security-mitigation-for-malicious-packages) on using `--ignore-scripts`.