Anyone is a literal stretch, but "almost anyone" seems pretty true. How many people do you think follow your very security minded, but quite long-winded practice? 1 in 1000?, 1 in 10,000? 1 in 100,000? Less?

I think the vast vast majority of people would have fallen for it, it's a decent looking message, it has a sense of urgency and the domain doesn't look wildly wrong. Devs in theory might be more security aware, but also we work with a lot of different apps, systems and sites - mixed domains, weird deep-links, redirects we've all used (and possibly even deployed) such setups.

Add in most of my email is now through a corporate outlook, so domains aren't very visible it's all nestled behind "safelinks", and personal email is often on a phone so mousing over a link just isn't muscle memory anymore.

I think I'd be suspicious at the request, but possibly have clicked to see more, especially with the threat things might stop working soon. Maybe NPM/package platforms should be pushing security training to their biggest maintainers like your old corporation did, but for now they don't and the idea that people should be more aware of the risk is sort of the point.

Almost anyone would have fallen for that, thats why almost all of us need to be reminded to think of this stuff more.

Thank you for implying I'm one in a million, but this just underscores why I avoid ecosystems like Node in favor of more top-down ones like .NET.

When a lone developer is untrained and doesn't follow best practices, as happened here, the community rushes to their defense on the grounds of empathy: "We would ALL make this mistake." But what if we wouldn't? What if we're trained and have certain safety protocols and procedures that we hold ourselves to?

This is why, at the end of the day, I run my company on a more centralized ecosystem, for all its warts. At least there's the promise of standard practices and procedures and training, whether it's always perfectly fulfilled or not. With a community-driven ecosystem, you don't have that: You're relying on the standards of the community, a vague and nebulous group that doesn't necessarily have any security sense, as you rightly pointed out. I realize not everyone has the luxury of making that choice due to career/financial constraints.