NPM ecosystem at risk from “Manifest Confusion” attacks