The concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.

And I am genuinely thinking to myself, is this making using npm a risk?

Just use dependency cooldown. It will mitigate a lot of risk.

If you started your Node project yesterday, wouldn't that mean you'd get the fix later?

	▲	flexd 7 hours ago \| parent \| next [-]
		no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions old edit: but if that's also compromised earlier... \o/
	▲	cluckindan 7 hours ago \| parent \| prev [-]
		Obviously you bypass the cooldown to fix critical issues.

Ygg2 7 hours ago | parent | prev [-]

NPM is the largest possible target for such an attack.

Attack an important package, and you can get into the Node and Electron ecosystem. That's a huge prize.