An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories.