Stupid question but what separates this from:
node-ipc
is it simply that node-ipc was not announced as having malicious code, but "actual-malware" was?
Also I keep seeing people use terms like "legacy definitions" and "security assumptions" without actually saying what they are. I think this is a big part of the problem, and one reason I want to have a pile of data to refer to, e.g. we may not be able to define "X" right now (if ever) but it's helpful if we have a pile of "clearly X", "clearly not X" and "we're not sure if this is X or not" which leads me to the "GSD all the things and tag the data so that sorting them out is easy."