Malicious updates hit at least 18 popular npm packages (including chalk, debug, ansi-styles) after a maintainer’s account was phished via a fake 2FA reset email. The code briefly redirected crypto transactions; the tainted versions were pulled.