Shit like this is happening almost daily. Npm should require all releases and commits be signed.
https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/
Single user instance for Dustin Wilson