More news is coming out about this:

https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised

I toyed with the idea that someone should write a binary that simply emails, or alert you when it's been run... as a canary... and call that `npm`.

At this point, not renaming the npm binary is a big risk.