Endor Labs101 fake font packages.
4.3 petabytes transferred.
Zero malware.
This wasn’t a supply-chain attack. npm was quietly used as a CDN at massive scale.
Henrik Plate explains how it happened and why abuse, not just malware, is becoming a serious OSS sustainability risk.
https://endorlabs.com/learn/how-fake-font-packages-abused-npm-as-a-cdn
