(no title)

That is a sound argument, even if integrity of the package was to check out (if npm tracks this internally at all).

Better to adopt a PyPI-style approach of temporarily "quarantining" packages while investigating allegations of malware for big-scale projects. Instead npm pulled the plug outright stating: "This package contained malicious code and was removed from the registry..." (generic placeholder page), which is inaccurate and likely to cause panic. https://www.npmjs.com/package/stylus