I don't know if they managed to fix it in recent years, but JS dependencies management used to be broken. I think the left-pad[0] incident is the most known one, but not the unique one. My guess is that you spam enough, at some point in time one of the packages will go viral.
[0] https://en.wikipedia.org/wiki/Npm_left-pad_incident