On August 1, npm Inc. the company that runs the biggest JavaScript package repository removed 38 JavaScript packages that were caught stealing environment variables from infected projects. The attacker used a technique called “typo-squatting”” to register packages with names similar to popular libraries but with typos in their names. The attack is dangerous because some information such as hard-coded passwords or API access tokens is stored as environment variables. Developers who used any of these packages are advised to change any passwords or access tokens they stored in their configurations.”
Source: https://www.bleepingcomputer.com/news/security/javascript-packages-caught-stealing-environment-variables/