I would say colors.js definitely can be considered malware. He in effect intentionally spinlocked a lot of packages either directly or indirectly via transitive dependencies, and also intentionally bypassed common semvar rules to maximize the damage.
whether or not those packages should have been affected is another discussion, but it appear it probably had more of an effect on other open source packages and perhaps the work of small mom and pop companies rather than huge corporations.
whether or not those packages should have been affected is another discussion, but it appear it probably had more of an effect on other open source packages and perhaps the work of small mom and pop companies rather than huge corporations.