The article seems to suggest the openclaw on compromised developer machines had something like root rights - "full system access", "install itself as a persistent system daemon surviving reboots".
What am I missing here, I thought npm didn't run as root (unlike say apt-get)?
Full system access = it's not sandboxed, it has access to anything that the user can access, and it seems to use systemd user units which don't require root access.
What am I missing here, I thought npm didn't run as root (unlike say apt-get)?