In the course of two months (July and August), security experts at GitHub have discovered arbitrary code execution vulnerabilities in the open-source Node.js packages, tar, and @npmcli/arborist.