Yeah, when I first started playing around with node I accidentally published one of my "hello world"-like apps to NPM's public registry. There was definitely no warning or indication of the severity of the action I was undertaking.

It's an easy mistake to make. What is concerning is that the bank didn't notice for three years... I feel like that should have been caught a lot sooner.