A package with a name very similar to the popular cross-env package was sending environment variables from its installation context out to the npm registry. The package naming was both deliberate and maliciousthe intent was to collect useful data from tricked users. All of hacktask s packages have been removed from the. npm registry, including the hacktask. address is banned from using. npm. It is not sufficient to prevent the human being behind it from trying again, but we felt it was a necessary gesture.”]
Source: https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry