The open-source project has more than 31,100 stars on GitHub. "The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload," Socket said.
Some results have been hidden because they may be inaccessible to you
Show inaccessible results