Researchers found a malicious package on NPM, uploaded a year ago
It was benign at first, and introduced malware later via an update
The malware stole hundreds of thousands of secrets and installed cryptojackers on dozes of computers
For roughly a year, hackers have been infecting red teamers, penetration testers, security researchers, as well as other hackers, with a piece of malware that steals WordPress credentials and other sensitive data, and installs cryptominers on compromised endpoints.
As a result, login credentials for some 390,000 WordPress accounts were stolen, and dozens of systems were found mining Monero.