If you someone made a concerted effort to put malware in a low level npm package, how hard would it be to detect?
Worryingly, it would be really difficult.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
