A sophisticated, worm-like malware is spreading through npm packages. It steals GitHub, cloud, and npm credentials, then uses them to infect all packages maintained by a compromised developer and exfiltrate data.
The malware has a dead man's switch. If it loses access to its command servers, it triggers a destructive payload that attempts to delete user files on the infected system. Do not abruptly cut off infected machines.
https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack