Too Long; Didn't Read
If you install an npm package (or any packages it may depend on) that has a shrinkwrap file (<code class="markup--code markup--p-code">npm-shrinkwrap.json</code>) with a HTTP registry URL, a local <a href="https://hackernoon.com/tagged/network" target="_blank">network</a> attacker (MITM) can execute malicious code on your machine.