Re: Any sanctions?
This is a node.js NPM package. I.E. This is serverside jacascript, not browser javascript.
NPM is "Node Package Manager", like apt, or pkg or deb etc.
The attacked computer would be the server running the application. The basic problem is the package manager has rhe ability to auto-update dependencies, and most people seem to usr it that way, so the changed files are loaded into someones server application.
Do npm packages work in browser or only in Node.js
Node Package Manager Guide: Install npm + Use Commands & Modules
Maybe Automatically Updating Dependencies Isn’t a Great Idea