So we saw a simple scheme to disrupt multiple npm applications in a wink of an eye - copy widely used package's README, post dubious-looking package and voila, all the javascripters are pulling hairs out of their rear ends.
I wonder, do people managing npm ever tested such a scenario before (a rhetoric question)?
Looks like they would never do, until another incident strikes.