NPM actually stands for Network Pwn Manager, so it's designed to give your IT network AIDS.
You can search for security violations here:
Early in the morning of July 12 [2018], an individual gained access to an npm publisher’s account and used this access to publish an unauthorized update of a popular package. The update included malicious code that would have attempted to access the accounts of additional npm users by obtaining these accounts’ access tokens.
(Incident report: npm, Inc. operations incident of July 12, 2018)
On July 19 [2017] a user named hacktask published a number of packages with names very similar to some popular npm packages. We refer to this practice as “typo-squatting”. In the past, it’s been mostly accidental. In a few cases we’ve seen deliberate typo-squatting by authors of libraries that compete with existing packages. This time, the package naming was both deliberate and malicious—the intent was to collect useful data from tricked users.
[…] JavaScript developers around the world crying out in frustration as hundreds of projects suddenly stopped working—their code failing because of broken dependencies on modules that a developer removed from the repository over a policy dispute.
(Rage-quit: Coder unpublished 17 lines of JavaScript and “broke the Internet” – ArsTechnica, 2016-03)
When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it. After I refused them, they reached NPM’s support emphasizing their lawyer power in every single e-mail CC’ing me. @izs accepted to change the ownership of this module, without my permission.
Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package.
no.