[lftl]

A popularity score that combines age of the package, number of downloads, and the number of packages that depend on the package in question could give a quick metric for cases like this, helping people realize that this probably isn't the official Twilio package.

All of that is roughly available on the npm website, but isn't really exposed in the CLI.

[ethanwillis]

I read it in a different way, not to say your reading is invalid! My interpretation was that a malicious actor could be holding a compromised key.