The campaign spans npm, Packagist, Go, and Chrome, using obfuscated JavaScript loaders and VS Code tasks to deliver malware.
Every device has something to hide.
You'll have to rush to use it before it disappears into the API billing side ...