Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. […]
from https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/