JFrog found malicious npm packages that deploy a Windows RAT to steal Chrome credentials, run commands, and transfer files.
If you don't want to include Mouse Follower files in your project, you can use it from CDN.