The malicious package is called 1337qq-js and was uploaded to the npm repository on December 30th. The package was downloaded at least 32 times before the discovery took place. It was discovered by Microsoft’s Vulnerability Research team. According to npm security team analysis, the package steals sensitive information by installing certain malicious scripts to target UNIX systems.
ZDNet reports that this is now the sixth incident of a malicious package on the npm repository index. However, this is the least serious incident, as Microsoft analysts discovered the library after two weeks, before much abuse could take place.