What happened?# People found malicious packages in npm that work like real ones, are named similarly real ones, but collect and send your process environment to a third-party server when you install them: @kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait: pic.twitter.com/REsRG8Exsx — Oscar Bolmsten (@o_cee) August 1, 2017
![Malicious packages in npm. Here’s what to do](https://cdn-ak-scissors.b.st-hatena.com/image/square/1296aa6bae67e08cf47f922f65473eb287f4496c/height=288;version=1;width=512/https%3A%2F%2Fiamakulov.com%2Fnotes2%2Fwp-content%2Fuploads%2F2017%2F08%2FApplicationFrameHost_2017-08-02_00-20-43-1.png)