A software package available from the official NPM repository has been revealed to be actually a front for a tool that’s designed to steal saved passwords from the Chrome web browser. The package in question, named “nodejs_net_server” was downloaded over 1,283 times since February 2019. It was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub. The rogue package has now been pulled from the repository.
Source: https://thehackernews.com/2021/07/malicious-npm-package-caught-stealing.html