EDIT : User @nj48 appears to have no malicious intentions.

With the recent Module liberation there was a malicious activity that was spotted with hijacking the names of the modules.

For example read-json https://github.com/mattdesl/install-if-needed/pull/2.

The "hijacked modules" look like this :

node_modules/dom-classes$ ls -la
total 12
drwxr-xr-x 5 drinchev admin  170 Mar 23 11:59 .
drwxr-xr-x 4 drinchev admin  136 Mar 23 11:59 ..
-rw-r--r-- 1 drinchev admin 1561 Mar 23 11:59 package.json
-rw-r--r-- 1 drinchev admin 3186 Mar 23 01:43 x
-rwxr-xr-x 1 drinchev admin  246 Mar 23 01:45 x.sh

and the content of the files is suspicious

node_modules/dom-classes$ cat x.sh
 A="$1"

 echo '{
   "name": "'"$A"'",
   "version": "2.0.0",
   "description": "",
   "main": "index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "",
   "license": "ISC"
 }' > package.json

 npm publish
node_modules/dom-classes$

Since those modules are popular I suggest everyone check their dependencies ( especially on private projects ), before even pass them to their CI.

Some of the modules are published by the user @nj48. You can find the list in the link.

Even though the modules are bumped with a semver major ( will not be installed with ~1.0 in your package.json ), there is a high chance people upgrade accidentally.