[nicce]

This is a real problem indeed. There have been reports about successful ones.

https://www.theregister.com/2022/07/06/npm_supply_chain_atta...

https://www.idstrong.com/sentinel/npm-packages-info-stolen/