> Note that a variation of a compromised library is often name squatting, when a hacker would use GAV coordinates which look legit but are actually different by one character, or repository shadowing, when a dependency with the official GAV coordinates is published in a malicious repository which comes first in your build.
Best part is that the documentation literally describes the attack used here.
Another example where npm and co are reinventing the same issues that Java has already solved long ago.
(This week's hack using npm, gems etc to trick non-java build tools to not use internal repos but the hacker's compromised packages instead)