lol, node is compromised by design. I think KiCad’s C++ roots don’t provide much exposure.
No. Different package ecosystem, NPM is for JavaScript software.
I have certainly heard of Javascript. Probably more than once. But with a few years of programming time, I do not think I could program my way out of a paper bag. 
If the paper bag were loosely closed with a rubber band, I could not program my way out with C++.
Anytime you receive an email saying you need to reset your password or some other security thing, do not click on anything in the email. Type the website address into your web browser manually like you would when you normally visit the site, then log in and make whatever changes. This is the only way to be sure you are where you think and you’re doing what you should be doing.
I have made a homepage on my own pc, with links to sites I often go to, so no manual typing is required.
What I sometimes do to check for spelling errors (URI, but also software) is to copy both versions into a text editor on consecutive lines. That makes any difference stand out.
Auto correction made me say things I didn’t nintendo.
Auto correction made me say things I didn’t intend to.
And if the mail would turn out to be a phishing thing, I would not even log into the original site or change anything.
Sometimes there is no obvious spelling mistake, but using some Unicode for an exotic letter from a foreign alphabet that looks normal. These can be very hard to spot.
That’s quite a stinker.
And even what used to be normal “flat” (ascii) text editors understanding unicode these days this make it even harder to spot.