Ah yes, the JavaScript ecosystem's finest moment: people literally typing npm i malware and hitting enter. The package is 9 years old, hasn't been updated since, and somehow still claims 12 victims weekly. This is why we can't have nice things in the npm registry. Some dev probably thought "surely nobody would be dumb enough to install something LITERALLY called malware" and yet here we are, with a steady heartbeat on that download graph. Those 12 weekly downloads are either security researchers, extremely curious cats with disposable VMs, or the same intern who keeps running rm -rf / "just to see what happens."