Attackers compromised the npm ‘atool’ account and published 637 malicious versions across 317 packages in 22 minutes, including high-traffic projects like size-sensor and echarts-for-react. The sophisticated payload harvests credentials, establishes persistent backdoors, and exploits GitHub’s infrastructure for command-and-control operations.