compromised? it is his code, he can do what ever he wants to do
he can put a ukranian flag on my terminal, just like he can put a russian flag on your terminal, it is the purpose of his library, it's not yours
you decided to rely on this individual for free, without consulting, without asking yourself how updates are delivered and what he plan to do with his code
you are the only one responsible of compromising your company by depending on such library
NPM/Cargo driven development is bad for everyone
if code on NPM/cargo can't be reviewed by moderators, then you can't complain
if you don't review code from your dependencies, then you also have your part of responsibility
he can put a ukranian flag on my terminal, just like he can put a russian flag on your terminal, it is the purpose of his library, it's not yours
you decided to rely on this individual for free, without consulting, without asking yourself how updates are delivered and what he plan to do with his code
you are the only one responsible of compromising your company by depending on such library
NPM/Cargo driven development is bad for everyone
if code on NPM/cargo can't be reviewed by moderators, then you can't complain
if you don't review code from your dependencies, then you also have your part of responsibility