This is an obvious scam, I don't know why I wasted this time double checking.
Makes me sad that this it the top HN post. Also got me thinking if the technique is so effective here (among more-than-average-scam aware community), I don't want to imagine the success rate on other social media.
npm audit - will tell you if there's any packages with known vulnerabilities.
https://docs.npmjs.com/cli/v11/commands/npm-audit
I'd imagine it's considerably slower than search, but hopefully more reliable.
I like the disclosure at the top, saves time.