Malicious packages in npm. Here’s what to doWhat happened?# People found malicious packages in npm that work like real ones, are named similarly real ones, but collect and send your process environment to a third-party server when you install them: @kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait: pic.twitter.com/REsRG8Exsx — Oscar Bolmsten (@o_cee) August 1, 2017
