At a naive level, this sounds like the sort of supply chain attack we've all been taught to fear. Asking seriously: has this build been replicated? is the source different from mainline? if so, what changed and who changed it?
The fake packages are not part of any supply chain and are quite easy to detect. More serious attack would be rigging an existing widely used OSS package, but this is not what the post is about and its title is somewhat misleading.
In 2022 it's a "supply chain attack" if it disrupts downstream users. The faker.js / colors.js changes were also see as a supply chain attack even though the maintainer knowingly made the changes.
reply