Thanks to @cvennevik and @aardrian for pointing out this amazing story.
My opinion: curious coders experimented in good faith, discovered a serious architecture issue with technology and policies, tried to notify and rectify, but got blamed by commercial entities instead of being thanked for their good faith disclosure.
It's very much worth the read:
https://boehs.org/node/npm-everything