On any given day, Sonatype's security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI.
Article Link: npm package downloads another package while exfiltrating your IP address and username