I thought the author published it via Git and some npm maintainer scraped them.
If they distributed this code to end users that's just a cyberattack.