A contributor on GitHub finds an abandoned, but popular JS library and commits code that targets a Bitcoin wallet made by a particular company. Hundreds of other libraries use this library making this vulnerability affect thousands of applications since it is a transitive dependency.
NPM (and npmjs.com) provide a valuable service in hosting JavaScript dependencies. By blindly upgrading to latest version of libraries, developers can open themselves to malicious attacks similar to those described below.
I would recommend developers understand how npm’s package lock mechanism works. This will ensure that your dependencies are reproducible and force the use of known and trusted modules instead of downloading the latest version.
This is not a problem just with the JavaScript eco-system. Python (via pip or conda) and Java (via maven & gradle) have similar issues. However my, totally subjective and un-scientific, observation is that JavaScript libraries tend to have way more dependencies (see the “left-pad” debacle for example)..
Ars Technica has a good write up about this particular issue: https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/