Were I still on Linkedin, I could totally have been caught by this. Thank you for this post, and the technical breakdown.

The company that I currently work for is currently paying for a curation product to scan NPM for vulnerabilities, and to prevent access to typo-squatting packages and new, unverified packages. I suspect that my employer may get to the point of banning NPM entirely, though.