[fmx]

I see, thanks. I guess that answers one question, but raises another: why have his packages depend on more of his packages? If his goal was to be included in as many node_modules directories as possible, and handlebars-helpers was already included what's the point of pulling in is-odd/is-even, too?

[plufz]

Might be this from his GitHub bio “Several years ago, just before my 40th birthday, I switched careers from sales, marketing and consulting to learn how to program” Good way to get more eyeballs…

[fmx]

Ah yes, that actually explains a lot! Thanks.

[ncruces]

Makes is-odd/is-even popular; many downloads; raises their (and his) profile.

[tshaddox]

Here we are all talking about him now!

[peteradio]

He could sell rights to the repos and disavow any knowledge of its maintenance while maintaining the link in his own repos. When those sold rights are used to commit some crime he has plausible deniability as anyone else but got a payday. If you try spinning off the subpackage just prior to a sale then it shows some sort of intent.

[umanwizard]

Is there any evidence that he has ever done anything like this, or that he plans to? Or is this just pure speculation?

[peteradio]

I didn't declare he's done this only that it is a vulnerability of depending on those packages.