The malicious package is named 1337qq-js and was uploaded on the npm repository on December 30, 2019.
The package was downloaded at least 32 times, before it was spotted and today by Microsoft's Vulnerability Research team.
According to an analysis by the npm security team, the package exfiltrates sensitive information through install scripts and targets UNIX systems only.
The type of data it collects includes:
This marks the sixth incident of a malicious package making it on the npm repository index, although, this is the least severe, primarily because Microsoft security analysts caught the library two weeks after it was published and before it gained a serious following.
Previous incidents of malicious npm packages making it on npm include: