An attacker was able to upload a malicious package and due to a lack of controls inside NPM, they were able to assign anyone on the platform as the maintainer of that package. The person now associated with the package receives no notification about it which made the flaw even worse. It is possible that there are malicious packages available on NPM that are attached to known good developers which an unsuspecting person could download and use.
This newly disclosed (and patched flaw) comes on the heels of one related to MFA which could allow an attacker to compromise a valid account, as well as other bugs that have allowed attackers to poison the repository. When you combine these flaws with some of the self-sabotage that we have seen related to legitimate developers it is going to have an impact on the trust that open source has built up.
We have a feeling that the recently identified issues with NPM are going to push development teams to move away from the use of repos like NPM. The idea that the once trusted source for dependencies for larger software project is no longer safe will make its use inadvisable. After all, at the end of the day the developers/publishers of any software package are going to be the ones that take the hit if there is an incident regardless of the reason for the incident. If the component is central to the functionality of the application, think Log4J, it can also mean significant costs in re-engineering their application to remove or correct the identified flaw.
It will be interesting to see how developers respond to the latest news about NPM especially when taken along side the increased interest in code repositories by the attacker community. Will we see these once popular sites dry up and fall into disuse, or will we see a push for better and more complete security controls? Only time will tell.