> The attacker took the legitimate code from their repo, added his malicious BCC line, and published it to npm under the same name.
Why does npm allow packages to share names? Why does it not warn the user that they probably wanted another package? These are easy-to-solve problems.
If I understand the situation correctly, the official solution does have the same name, but it's not published on npm.[0]
As far as I know, npm doesn't actually allow packages to share names if they are both going to be in the public registry.
[0]: https://postmarkapp.com/blog/information-regarding-malicious...