For the first time, RL researchers discover malicious locally-installed npm packages infecting other legitimate packages.