Not again and it is NPM once more.

> Any project that installs one of these versions, directly or transitively, will pull the compromised release.

Hope you have pinned your dependencies in your package.json.

What a disaster.

Why why why it's npm, almost always?