A malicious npm package discovered in the public registry managed to steal sensitive files from developer machines by disguising itself as a seemingly harmless utility. Security researchers identified the package, named ua-parser-js2, which contained code designed to exfiltrate environment variables, SSH keys, and other confidential data stored on infected systems. According to a detailed report published by The Hacker News , the attack represents a sophisticated supply chain compromise that targeted developers who installed the package through standard npm commands. The incident unfolded when the package first appeared in the npm registry under the name ua-parser-js2, an obvious attempt to mimic the legitimate and widely used ua-parser-js library that parses user agent strings in web applications.…