I was with it until he got to the bit about pen testers: 7am to 7pm where? Is there any basis for the conclusion that no pen testers work on off-hours, or that none live in a different time zone from whichever one he's using? I also find it difficult to believe that the detection methods he describes are the only ones available. This also presumes that you're putting your credit card info into a site that uses nodeJS to begin with. Especially because this issue, i.e. the lack of verification on npm packages, has been known about for years. I mean, I read about it years ago, and I'm hardly on the cutting edge of network security.What hours do they work? My code doesn’t send anything between 7am and 7pm. It halves my haul, but 95% reduces my chances of getting caught.