I like CSP. But I don't think the moral of this story is CSP protects you. If you install malicious packages everything is lost, the moral is we need to talk about trustworthy package managers.https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 …
CSP probably does make it a lot harder to achieve undetected exfiltration like this. But indeed it's not real safety.