Your Devs probably install npm packages without a second thought. If you’ve ever mis-typed a url and ended up on an ‘interesting’ website you can understand why this lookalike attack could be very successful.
BTW, this is most definitely not a new thing. Take a look at these long distance carrier names from the last millennium. I especially like the chutzpah of “I don’t know” as a carrier name..:
A new malicious package been spotted this week on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems for its recon activities. The malicious package is called “web-browserify.” It imitates the popular Browserify npm component, downloaded over 160 million times over its lifetime. […]