I haven't spent too much time on it, so there's a good chance that I'm wrong, but it doesn't seem to be satire. I think that it's merely depressing and predatory, or depressing and predatory because it's a cynical sales pitch - a conversion funnel - that conflates what could be deemed to be real risks (supply-chain attacks etc.) with major exaggerations. They probably worked with a PR agency to devise this approach and thought that is was a very clever way to capture the attention of this exact community - which it may very well happen if it spurs a heated discussion and people end up mentioning their brand name and visiting their site.
To be clear, engineers should not be required in the least to "maintain mental maps of which packages are safe and which will detonate their employer's IP strategy" simply because in the vast majority of cases they're not co-owners of that business or that strategy. That is overstated and intentionally misleading, I suspect. AGPL obligations depend on how software is combined and distributed or network-served, not on some magical "contamination" event from merely touching a package.
It works. It is hooked up to Stripe. You can upload your package.json and receive a fully cleanroomed set of dependencies to use yourself. It is up to you to determine whether this is a compelling product or a warning to those who care about FOSS.
I do like this idea, more difficult to do without access to the original source code, and I think that this would be more "reverse engineering" rather than cleanrooming, as you don't have the same concerns about copyright violation if you're working from a binary.
