It does not just sound insane, it is insane...

"He reverse-engineered an actual attack. The project contained scripts that enabled code injection and crypto-wallet theft. His post (highly recommended):"

https://www.linkedin.com/pulse/como-identifiquei-um-golpe-em...

"The execp package (version 0.0.1) is an infamous, malicious dependency frequently used in recent supply-chain attacks and job interview scams. Threat actors embed this 9-year-old package into seemingly innocent "technical assessments" or projects. When you run npm install, it quietly executes arbitrary shell commands in the background to compromise your machine."