Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.
I'm seeing this from npm, which is a bit different:
https://www.npmjs.com/package/playcaptcha
Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.