GitHub moves to tighten npm security amid phishing, malware plague