A significant issue has arisen within the NPM ecosystem due to confusion between two similar commands: `npm add user` and `npm adduser`. The command `npm add user`, intended as an alias for `npm install`, has inadvertently led a large number of developers to install a package named 'user'. This error stems from the similarity in commands and the chance of a developer hitting a whitespace when quickly typing 'npm adduser', which is used to create a user in the registry. This oversight, which was pointed out in a Pull Request but ignored, underscores a concerning supply chain vulnerability that could be exploited. This innocent looking ‘user’ package, currently a simple hello-world application, has been downloaded nearly 12 million times. The concern is that the benign package could be updated in the future to include malicious code. NPM reports 2760 dependent packages, with at least 20 added in December 2024 alone, indicating the widespread nature of this mistake. This means that a future update to the ‘user’ package would pose a risk to the thousands of developers who have inadvertently installed it and any packages that depend on it, turning a simple typo into a potential security nightmare.