The npm security team has removed today a malicious JavaScript library from the npm website that contained malicious code for opening backdoors on programmers' computers.
https://www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/
https://www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/