They are not stealing the package. They are using it as a door into developer machines, CI, tokens, and customer systems.