This can be resolved by just pinning version in npm, right? I mean, it's a malicious attack that compromises trust in the maintainer of the package, but it's not the end of the world for any team being conscientious of their dependencies.