The npm dependency ecosystem is extremely tangled. I work with node frequently, but there's plenty of opportunities for bad actors to introduce abuse and I'm wondering when the other shoe will drop.