Software package hijacking is an escalating security concern that targets the software supply chain by exploiting popular software packages to execute malicious code. This threat is examined through a case study by a security research team, revealing that waiting at least 14 days before upgrading to a new package version could prevent many hijacking incidents. The study highlights both external and self package hijackings, where attackers or even the developers themselves can introduce harmful changes to popular packages such as PyTorch, ua-parser-js, coa, faker, colors, and node-ipc, leading to severe consequences like data theft or system corruption. Notable incidents include the PyTorch library's dependency attack that compromised developers' sensitive information and a protest-related sabotage by the creator of the faker and colors packages, which disrupted many projects. Preventative measures like enforcing vetting practices and adopting tools such as JFrog Curation can help organizations mitigate these risks by delaying updates and blocking potentially harmful package versions.