ReversingLabs researchers discovered a suspicious package on npm called legacyreact-aws-s3-typescript. They found that the package contained a post-install script that downloaded and executed a simple backdoor.