JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
This extension should be more or less functional, but the code is not yet feature complete. No guarantees are given for stability or random breaking changes. See the update notes for a poor excuse for ...