> Any project that installs one of these versions, directly or transitively, will pull the compromised release.
Hope you have pinned your dependencies in your package.json.
What a disaster.