$ npm install firstname.lastname@example.org
LIBERTY LIBERTY LIBERTY
Article complémentaire FR: https://www.01net.com/actualites/au-bout-du-rouleau-un-developpeur-sabote-ses-logiciels-open-source-2053434.html
Effectively find upstream & downstream dependencies of a Pypi package
More about it: https://blog.acolyer.org/2020/09/21/watchman/
libraries.io also provides this information, possibly less accurate
A very plausible scenario of credentials sniffer injected through npm dependency chain.
I loved the "I’d see it in your source on GitHub!" section : so scary and true.