Kids, don't just
npm install stuff willy nilly. Things you don't expect can happen.
If you're having trouble educating your team about the dangers of leaving credentials in easy to anticipate locations while working in an ecosystem of dependencies that pull dependencies that pull dependencies that no one reviews, try
npm install aws-pony --save on some of your projects at work and see if anyone catches the commit.
This is part of our internal education process for AWS Vault, our CLI tool for using STS sessions on amazon safely instead of accidentally leaking power user IAM creds.
Flagrantly disregarding SemVer as was the style at the time.
Code: ICS Wallpaper: Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License from http://theshadowstone.deviantart.com/art/My-Little-Pony-Wallpaper-455115304