So the npm exploit happened because the developer was on bluesky and clicked on an email from them.
Had he been on Nostr, all those npm packages wouldn't have gotten compromised.
Discussion
As Nostr is decentralized and relatively unchecked without a centralized governance of content, I assumed security would be more up To the end user, is it not less secure in most all circumstances? Like I could click a nasty link directly on Nostr right ?
Yup
Yeah, but you'll never get an email from "nostr" asking you to login
True, but 1 less email attack is marginally better security.
Being able to easily identify legitimate addresses easily is a big deal, actually. I've been frustrated frequently, lately, with the "is this email phishing or legit" conundrum.
Even if you think "I'll just go to their website and check", they often have legit looking websites whose address is almost-identical to the original.
Yeah. But Nostr doesn’t fix this. By now someone should have a better tech solution, same with spam calls and texts.
Nostr; 
How many of us have put our nsec into a signer or other app, without checking first, if it's compromised?
How many of us download every update, immediately, without reviewing the code?
Do we know how safe the NWC functionality is?
How much software is just always pulling "largest"?
Meh. Dunno.
Most of our stuff is at least partially vibe-coded and nobody has a comprehensive test architecture and smooth DevOps. And the tests we have were written by AI and often not even reviewed.
We're probably much much worse, TBH.
The pwn has nothing to do with either bluesky or nostr
Nonsense. Malware can spread through Nostr just as easily as anywhere else.
No thats not accurate, I have seen a screenshot of the email and it was a message spoofing NPM not bluesky.