This here event where ownership of a npm module was transferred over to a malware actor has me wound up in a bit of paranoia.
It isn't that we didn't see this coming. A lot of people did and warned about this exact scenario. For example: https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
It's more that it triggers, again, my worry about how unsustainable the current OSS ecosystem looks, relying almost entirely on unpaid labour and burnt out maintainers.
Which is a very 😱 kind of thought.