In all seriousness, what do we do now? Has this been stopped? Is it safe to start scanning our deps and know we find everything? Do we have to assume running `npm install` is extremely dangerous right now? What is npm doing?
I’ve advised my company to pause JavaScript development for the time being, and that surely can’t be it?
https://narrativ.es/@janl/115606622055750279
@janlJan Lehnardt 
We just scan all projects for a package-lock.json file and check that it has not been updated since two days ago. That ensures you can't install infected versions. I think there is also work underway to scan all machines for user-installed packages, which also just scans for local package-lock files.
If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.online/users/atjn/statuses/115610007775964957 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
