Self-propagating worm fuels latest npm supply chain compromise