A typosquatted npm package named 'reakt' instead of 'react' made it into our CI pipeline. It had been quietly installed on 4 developer machines. Found out because our EDR flagged unusual DNS lookups. The package had 2,000 stars on a fake GitHub account. Someone had put in actual effort to steal our secrets.