NPM command confusion 

The report describes an npm CLI alias confusion where the newly added "npm add" alias for "npm install" can be mistyped as "npm add user", causing developers to unintentionally install a benign-but-widely-downloaded "user" package instead of using "npm adduser" to log in; with millions of downloads and thousands of dependents, the package represents a potential supply-chain risk if future versions include malicious code.