A malicious package was removed today from the npm repository after it was discovered that stole login information from the computers it was installed on. […]

from https://www.bleepingcomputer.com/news/security/npm-pulls-malicious-package-that-stole-login-passwords/