POLA. Principle of least authority.
How would POLA have helped? post 
The JavaScript world was rocked this week by news that the popular npm package event-stream included malicious code that attempted to steal the private keys of certain Bitcoin users. Since the attack was discovered, both the JavaScript community and the cryptocurrency community have been passionately debating how to prevent such an attack. At Agoric, we think this attack was entirely preventable, and the answer is POLA, the Principle of Least Authority.
Agoric posted a teaching moment in support of POLA and the now (unFrozen) Realms at TC39.
.
Discussion continues on Hacker News post