NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages