It's been almost two hours without a single email back from npm. I am sitting here struggling to figure out what to do to fix any of this. The packages that have Sindre as a co-publisher have been published over but even he isn't able to yank the malicious versions AFAIU.

If there's any ideas on what I should be doing, I'm all ears.

EDIT: I've heard back, they said they're aware and are on it, but no further details.

NPM is a Github company and when there was a relatively serious attack in Github Actions a while back there was also pretty much zero response from them.

Github is SOC2 compliant, but that of course means nothing really.

They have yanked the bad version of simple-swizzle by now, which was the last of the packages that I was tracking.

It took them quite a long time to do so.

My god. The npm team should urgently review their internal processes. These two hours of neglect will cost a lot of money downstream. At this stage, they act nothing short of irresponsible.

I haven't published anything to npm in over a decade. But if you still have access to git, a cli, or a browser where the login is cached and you can access it, you should do so and either take the code down or intentionally sabotage/break it.

I can not find the package anymore. I think someone did it already.