Hmmmm, man muss halt seinen ganzen Dependencies vertrauen. Und das sind schnell einmal ein paar hundert Packages. Aber muss man das nicht auch schon heute?https://twitter.com/mathias/status/949386790011535361 …
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I know, but my (indeed not very strong) concern is if this kind of attacks are easier to hide than an easy to spot preinstall script. Since I'm just taking my first steps from RingoJS to the Node ecosystem, trusting tons of packages is quite new for me 
Except now the have root+ read access to the whole machine's memory; so its increased over just arbitrary code with user access
Good point
Since we always use a separate user for the web apps, this was at least protection against root-level attacks.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.