Not pretty, not Windows-only: npm phishing attack laces popular packages with malware