NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data. These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday. The code establishes a reverse shell to the attacker’s server, allowing the attacker to obtain remote access to the compromised machine. The last package on the list, npmpubman has a very different code structure and purpose. It is possible that all four packages were authored by the same attacker(s)
Source: https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-opening-windows-linux-reverse-shells/