Between July 21 and August 13, 2021, vulnerabilities were discovered in the Node.js packages tar and @npmcli/arborist through a private security bug bounty program, potentially leading to arbitrary code execution. These vulnerabilities stem from issues like file overwrites when extracting untrusted tar files or installing npm packages, affecting the npm CLI and other dependent projects due to their widespread use. Seven CVEs were assigned, with four directly impacting the npm CLI, emphasizing the need to update npm and tar to the latest versions to mitigate risks. The npm team acted swiftly, releasing fixes, scanning for malicious packages, and blocking certain package types to enhance security. Additionally, they collaborated with security researchers and the community to address these vulnerabilities, highlighting the importance of coordinated disclosure and community partnership in maintaining security.