Affected versions of the package are vulnerable to Symlink attack due to predictable tmp folder names, which were named
/tmp/npm-$PID. An attacker waiting for a process named
npm- to load could then go to the folder and arbitrarily change the files in the tmp folder.
npm to version 1.3.3 or higher.