Hackers getting in via NPM maybe