npm is a security nightmare. And this is just another example. i'm so sick of these supply chain attacks waiting to happen. what the fuck is our threat model?