At the end of the day, open source is built on trust. Even the more paranoid-architected flows outside of npm (checksums via side-channel, curated package distributions maintained by a third-party such as debian) don't protect the end-user from actual malicious action on the part of the trusted source. Consider the story of how Univesity of Minnesota got banned from adding patches to Linux (https://www.theverge.com/2021/4/30/22410164/linux-kernel-uni...). In that case, they were caught. But if they weren't caught (or if a critical mass of Linux maintainers went rogue and were in on it)? Enough malicious actors with the right credentials can publish and checksum a damaging package in any system that allows code reuse. It is, perhaps, riskier to rely on a system with one maintainer. If that's the case, moving Faker .js to community controlled was a great first step in restoring trust in the package; it's harder to compromise a group.

We can sit here and cluck our tongues and say "Should have known better than to trust someone else's code," but that's just victim-blaming. Marak broke trust. He took advantage of a system with a vulnerbility and he exploited it. And everybody uses a system that is vulnerable in some way.

Because he did this, the system interpreted his actions as damage and routed around them. The system may change to make this attack harder in the future. And the result will be more complex and have more failure modes, and everything will be slightly worse as a result because we have to replace with process what we were previously able to do with human-to-human trust. "Nice job breaking it, hero."