Attackers can take advantage of this issue to trick a malicious package published in a community repository instead of a custom package hosted in a private repository. Security researchers have long warned that this can be exploited by attackers, especially since the repositories are not well policed. Attackers also uploaded components with names similar to legitimate ones in the hope that developers might mistype the name when defining their application dependenciesan attack known as typosquatting. In response to past attacks, public repository maintainers have taken additional steps including multi-factor authentication and adding digital signatures.”]