We're working on a full post-mortem now. Until then we don't want to give out misleading/partial information.

Any update on the post-mortem? How long have the binaries been replaced? Is there evidence that malware was injected into the binaries?

Additionally, you should brush up on your code signing implementations. Had you signed it with a trusted code signing cert, consumers could have verified that you produced the binaries...and not a malicious user. Assuming they didnt have access to the private key material of your code signing key.

Not sure if you saw but they did post this: http://blog.npmjs.org/post/169432444640/npm-operational-inci...