From zdnet.com
The npm security team has removed a malicious JavaScript library from the npm portal that was designed to steal sensitive files from an infected users’ browser and Discord application.
The malicious package was a JavaScript library named “fallguys” that claimed to provide an interface to the “Fall Guys: Ultimate Knockout” game API.