Listening to an episode of Libre Lounge from a few months back, fascinating to hear about the two recent vectors that compromised projects via npm.
Both supply chain attacks, one a compromised build and the other a kind of social engineering hijacking of a no-longer-maintained repository.
https://librelounge.org/episodes/episode-2-thanksgiving-npm-and-malware-in-free-software.html