With a threat like this, I think the best action going forward would be to kick the author off of npm, and re-purpose the npm package name to a frozen-in-time version of a clean ad-free fork of the latest release, perhaps with a deprecation warning

isaacs responded below and clarified that he doesn’t feel core-js is in violation of npm’s new policy

https://github.com/zloirock/core-js/issues/635#issuecomment-...

ICYM npm’s new policy: https://news.ycombinator.com/item?id=20838078