It’s a worrying trend to see more and more hijacking of popular packages to spread malware. The threat actor apparently gained access to the packager maintainers account and inserted a post install script to download malware.
The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.
Source: Malware found in coa and rc, two npm packages with 23M weekly downloads