Software developers are increasingly being targeted by supply chain attacks. NPM, node package manager, hosts almost 9M packages, which in turn consist of 1.7 billion files, or just under 37.5TB worth of data. Backdoors are particularly tricky to detect because of this because of the complexity of finding them can be difficult. Backdoored packages can be hidden away, surrounded by hundreds of others written by the original software authors. A password recovery tool used to refresh your memory when you forget a website credential is OK, but it being found in NPM repository, probably not OK.”]
Source: https://blog.secure.software/the-npm-package-that-walked-away-with-all-your-passwords