Researchers report a supply-chain attack that poisoned several highly popular NPM packages, adding code to intercept cryptocurrency transactions. Malicious versions propagated widely, reaching about 10% of cloud environments.