A fictional story showcasing a smart (social engineering) exploit to use npm packages as a backdoor vector for malicious code.
On any page that collects any data that you don’t want me (or my fellow attackers) to have, don’t use npm modules. Or Google Tag Manager, or ad networks, or analytics, or any code that isn’t yours.
The author even illustrates how a CSP header will not fully prevent this kind of attack. In the end, it boils down to the summary of the article:
My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.
The recommendation would be to use sandboxed iframes with hand-crafted JS for any sensitive input pages.