On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects. […]

from https://www.bleepingcomputer.com/news/security/javascript-packages-caught-stealing-environment-variables/