Ironically the same person who first reported this npm vulnerability used the wrong package name uglifyjs instead of uglify-js in an unrelated github project.

https://github.com/mishoo/UglifyJS2/issues/936#issuecomment-...

https://github.com/samccone/The-cost-of-transpiling-es2015-i...

Or perhaps was it a security experiment to see how long it took someone to notice.

The uglify authors should use 'uglify' per the naming conventions and can easily reserve uglify-js and uglifyjs as empty / legacy packages.

According to the parent link they've been waiting for npm support to respond for a over a month.

They filed an official dispute 11 hours ago.

Feb 4th. https://github.com/mishoo/UglifyJS2/issues/936#issuecomment-...