On linux realistically whatever user you installed the malicious NPM package with has access to everything you care about anyway.
On linux realistically whatever user you installed the malicious NPM package with has access to everything you care about anyway.
I had an idea to always run 2 users, the "main" one (or more) and a "project one"... one could sudo to the project user, but that one could not sudo out... (npm would only be installed for the project user).
Every user, since privesc is so easy on most operating systems.
Sure, without exploits they can steal your api keys, read your personal data, and access your browser data. With exploits they can update packages on your computer too.
No exploits needed. A simple shell alias will suffice. See my example in sibling comment.