EDIT : User @nj48 appears to have no malicious intentions.

With the recent Module liberation there was a malicious activity that was spotted with hijacking the names of the modules.

For example read-json https://github.com/mattdesl/install-if-needed/pull/2.

The "hijacked modules" look like this :

node_modules/dom-classes$ ls -la total 12 drwxr-xr-x 5 drinchev admin 170 Mar 23 11:59 . drwxr-xr-x 4 drinchev admin 136 Mar 23 11:59 .. -rw-r--r-- 1 drinchev admin 1561 Mar 23 11:59 package.json -rw-r--r-- 1 drinchev admin 3186 Mar 23 01:43 x -rwxr-xr-x 1 drinchev admin 246 Mar 23 01:45 x.sh

and the content of the files is suspicious

node_modules/dom-classes$ cat x. sh A= "$1" echo '{ "name" : "'" $A "'" , "version" : "2.0.0" , "description" : "" , "main" : "index.js" , "scripts" : { "test" : "echo \" Error : no test specified\ " && exit 1" }, "author" : "" , "license" : "ISC" }' > package.json npm publish node_modules/dom-classes$

Since those modules are popular I suggest everyone check their dependencies ( especially on private projects ), before even pass them to their CI.

Some of the modules are published by the user @nj48. You can find the list in the link.