2-day-old GitHub account added AI-generated dependency to Mailgen (2.5k stars)

Conversation | @eladnava I tried to contact you privately via linkedin and twitter but can't seem to (because of permissions on your end and linkedin restrictions I think). I'd strongly suggest you revert this PR. This account was created ~2 days ago, has vibed some "performant" NPM dependencies into existence, and while the package contents seems innocuous, I suspect they're attempting to set up a supply chain attack. | | @askoufis I've also deprecated version Really appreciate your vigilance and quick notification about this potential future supply chain attack. Going forward, I will be carefully reviewing any PRs which touch any of the existing Thanks again! | What this does Replaces he withturbo-he — a Rust N-API implementation of the identical API. One line inpackage.json , one line per import. No logic changes.Benchmark results (Apple M2, Node.js v25.2.1) he turbo-he decodeBuffer(Buffer) ★useNamedReferences: true Why it's safe he on every case: named entities, numeric decimal/hex, legacy no-semicolon, attribute-value mode, strict mode, Windows-1252 remap, surrogate replacementhe he )Source: https://github.com/dev-kjma/turbo-he · https://www.npmjs.com/package/turbo-he