An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system. [...]

https://www.bleepingcomputer.com/news/security/supply-chain-attack-hits-npm-package-with-45-000-weekly-downloads/