The npm registry for the Node.js JavaScript runtime environment is susceptible to what’s called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation.
« A npm package’s manifest is published independently from its tarball, » Darcy Clarke, a former GitHub and npm engineering manager
