Heh. it's also on the news now: https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
And it now has its own OFFICIAL advisories:
https://github.com/advisories/GHSA-97m3-w2cp-4xx6
https://nvd.nist.gov/vuln/detail/CVE-2022-23812