Such explanation looks misleading to me. Even having the module detected as potentially malicious, why was it put into a state that such module doesn't exist, letting others publish package with the same name. For me it looks like there is something wrong at the npm side internally with the processes.
I had some free time between switching a jobs and I filled it building ProtonMail Desktop Client https://github.com/vladimiry/protonmail-desktop-app There simply was no usable client for desktop. That's actually my first open source experience.
