This is regarding supply chain attacks.
Is it possible for the creator of an npm package to change published packages in retrospect?
For example, [email protected] is trusted right now, and pinned in my package-lock.json. Now, can the publisher change [email protected] on npmjs.com, so when I run npm i a malicious version gets installed?
If so, how do I prevent this?
I tried googling and haven't found any info about this.