MITRE just assigned me 5 CVEs across 3 npm packages you've never thought about. 500M+ downloads a month. the scariest vulns aren't in your code. they're in your node_modules. names drop when the embargo lifts.