having worked with both mvn and gradle, i always have a good chuckle when i hear about npm "supply chain" hacks.