An npm package with 4 million weekly downloads just got caught sending your .env file to a random server in a postinstall script. You know what the maintainer called it? Telemetry. I need everyone to understand that 'telemetry' is just surveillance with better PR.