40 JavaScript packages were found malicious and removed from the Node.js package management registry. The attack involved a user named HackTask who uploaded the rogue JavaScript libraries between July 19 and July 31. Npm maintains the Node Package Manager for JavaScript and hosts the world s largest software registry, according to the site. One example of a malicious package was one named crossenv which was meant to be confused with the real one named “cross-env”” The real danger came from the crossenv package
Source: security