The campaign spans npm, Packagist, Go, and Chrome, using obfuscated JavaScript loaders and VS Code tasks to deliver malware.
A tutorial with examples of various access and display types can be seen at crotwell.github.io/seisplotjs. Also see the wiki. Install with npm i --save seisplotjs.
It's been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there's a supply chain attack ...