Sounds like the attacker is getting pretty smart about this stuff too. They have a self-hosted registry with the offending package so it can't get yanked from the actual npm registry<p>>The attackers now host the attack from mave-finance/next-assessment. The malicious dependency is json-mock-config-server which is not listed in the npm registry, but rather is served from npm.mave.finance as before, the registry listed in .npmrc.