One thing I haven't seen talked about at all is the local development setup. I was thinking of putting node/js projects fully into docker containers (and mounting the project directory as a volume for hot reloading). While this doesn't fix the CI attack vector, it should mitigate risk for personal/work machines.

I'd be interested in hearing the setup other people have for their dev envs, also are you using separate browsers for Dev/Internet?

I actually posted about my own Docker setup this morning: https://ryansouthgate.com/secure-node-in-docker/

I use this on all my front end projects and it protects my "host" machine from malicious packages, it's not a silver bullet though; other practices, e.g. good secret management, will help harden your dev environment from these attacks