What if a package did something like this, but instead of logging to the console, they sent it back to a server?
Have you actually reviewed every dependency and every child dependency in every app you deploy?
Why are people not more scared of this?