For a brief time some npm packages could (and were) replaced by malicious users: https://news.ycombinator.com/item?id=16087079 https://twitter.com/coderbyheart/status/949728925839773696