NPM's terms explicitly disallow malware. They're free to put the raw source on say GitHub, but the author isn't permitted to package and distribute it on NPM.
https://docs.npmjs.com/policies/open-source-terms
I thought the author published it via Git and some npm maintainer scraped them.
If they distributed this code to end users that's just a cyberattack.
