The malicious NPM package, which masqueraded as a legitimate alternative to a popular package, downloaded a phishing HTML code from the jsdelivr CDN service to steal users’ credentials.