Always turn off pre- and post-install scripts; many of the attacks have taken advantage of the fact that most people leave those on by default. And don't even get me started on how the "getting started" instructions for so many MCP servers and AI tools involve just yoinking a package straight from NPM and running it with `npx`.