The Hacker News

Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data. The campaign, discovered by Socket, ...
GitHub

Read the contents of node_modules.

That's it. It doesn't figure out if dependencies are met, it doesn't mutate package.json data objects (beyond what read-package-json already does), it doesn't limit its search to include/exclude ...