Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.