[scljstcwombat]

It's always been amateur hour over there. The 'official' install was `curl http://npmjs.org/install.sh | sh`[1], package checksums aren't uniformly checked, the list goes on.

But don't worry guys, they had a security audit[2].

[1] http://web.archive.org/web/20101228041356/http://npmjs.org/ [2] http://blog.npmjs.org/post/80277229932/newly-paranoid-mainta...