Malicious crossenv package on npm

This week a new big incident happened with several npm packages. An unknown author re-published a lot of common packages with very similar names and injected malware into the code, stealing all environment variables of the machine where the package gets installed. They’re pulled from the registry now but if you ever installed them somewhere by accident, it’s not easy to spot it and you should consider your data to be stolen.