Groundhog day: NPM package caught stealing browser passwords
blog.secure.software> This detection was assigned to an embedded Windows executable file...
I think this should be enough to declare it "malware", no? Why would one put a Windows (or any other) executable into repository for Javascript packages except to be malicious?