NPM repository administrators package , in which a malicious insert was detected. The malicious package has remained undetected since August last year. During the year, the attackers managed to release 7 new versions, which were downloaded about 200 times.
When the package was installed, an executable file for Windows was launched, transferring confidential information to an external host. Users who installed the package are advised to urgently change all encryption keys and accounts in the system, as well as to check the system for backdoors left by attackers (removing the package from the system does not guarantee the removal of malware associated with it).
Additionally, it can be noted package manager updates , starting from which files owned by the root user can only be created in directories owned by root (placing such files in directories of ordinary users is prohibited). The new version also fixes an issue causing a crash if the "--user" option refers to a non-existent user (a problem mostly encountered by Docker users). "npm ci" gives you full access to all npm setting values.
Source: opennet.ru