> Agreed, but I think using the same device to access your password manager and for dev

Almost all development I do, and most others, are on our projects or projects we're at least interested in, and most likely dove into, that's why we're developing in them in the first place.

In this case, it seems like the developer wasn't actually developing anything, but playing around with image generation on his time off, for fun, and ended up pulling down a random 3rd party thing and got compromised that way. Very different from "for dev" I'd say.

Besides, didn't most developer start isolating projects from each other when the first npm worms started to appear? I know I stopped running `npm install` in the same environment I do my banking, and drastically reduced the amount of random 3rd party stuff I have, still use all the same device though. Even have a Windows install on the same computer, booo!