In a report published today, Sonatype said the library was first published on the npm website on Friday, was discovered on the same day, and removed today after the npm security team blacklisted the package.
The reverse shell opened a connection to "4.tcp.ngrok[.]io:11425" from where it waited to receive new commands to run on the infected users' computers.
Sharma said the reverse shell only worked on UNIX-based operating systems.
Developers asked to change credentials, secrets, keys
"Any computer that has this package installed or running should be considered fully compromised," the npm security team said today, confirming Sonatype's investigation.
"All secrets and keys stored on that computer should be rotated immediately from a different computer," the npm team added.
This marks the fourth major takedown of a malicious npm package over the past three months.