Package ‘bb-builder’ stole login information from computers it was installed on. It deployed an executable for Windows operating system that sent sensitive information to a remote server. Package was added to the Node.js repository after compromising the account owner’s credentials. The password recovery tool is used to recover website login information stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera browsers. It stayed undiscovered for a year, according to a researcher at ReversingLabs, a company that provides automated static analysis.
Source: https://www.bleepingcomputer.com/news/security/npm-pulls-malicious-package-that-stole-login-passwords/