rysiek, 
Dear #InfoSec Hivemind!
We've seen supply chain attacks where old unmaintained npm packages were taken over and malwared, targeting devs.
We've seen attacks that typosquatted names of popular npm packages to get devs to include these accidentally.
We've seen malicious JS libraries hosted on large CDNs, used in attacks.
Have we seen a case where a JS library / npm package got taken over, malwered, and then published to CDNs in order to target websites that include it?
:boost_ok:
