Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data the...

Socket

Malicious npm packages impersonating the widely-used libraries chokidar and chalk have been discovered. The attacker added a destructive 'kill switch' and data-exfiltration routines to these clones, potentially leading to data loss or exposure of environment variables. These imposter packages mimic legitimate ones, making them hard to distinguish without thorough checks.

Kill Switch Hidden in npm Packages Typosquatting Chalk and C...

This is why package repository maintainers need the ability to remove or block a package. And I say this as someone who is not a package repository maintainer.
I was unable to find any information on whether the NPM maintainers can does this, because google is increasingly useless.

i have zero trust on all 3rd party packages. as much as possible i don’t use them if i can just create my own. because even if that package is legit, one of its dependencies might be compromised, or the dependencies of its dependencies, etc. somewhere along that tree of dependencies might be a malicious package.