Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.