holy crap:

On July 19, 2025, the package’s primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.

So, is that just a ‘developer’ component, or have I got to analyse all my systems now for the NPM components in the article’s list?