This article is garbage IMO. It’s no surprise that malware exists on NPM (since uploaded code is not security-reviewed), and that different types of malware present different types of threats.
The actual interesting part is the names of the packages, which are somewhat clever IMO as they seem harmless and legitimate, but this trash summary article decided to strip out the package names.
Here is the original article which does have the package names: https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm
but this trash summary article decided to strip out the package names.
Why the heck would they strip out the package names?! That’s like the bare minimum piece of information an article about something like this should contain.