Modern software development is such a mess. How did we come to networked dependency managers downloading and executing untrusted code with no sandboxing without user consent being the norm? These used to be called RCE vulnerabilities. There need to be technical measures against this stuff. Or better yet: avoid networked dependency managers if you can. Treat every dependency like a liability it is.