Fortunately, spread of trojanized packages is limited to newly built applications only because nobody updates NPM libs anyway 🤷‍♂️

So as long everyone sticks to the tried strategy of "lets hold and wait if others get infected" we don't need any package signatures etc #security

https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/