The affected package is Event-Stream, built to simplify working with Node.js streaming modules and it is available through the npmjs.com repository.
Although the malicious code was discovered last week, researchers were able to determine its purpose recently, when they managed to decrypt and deobfuscate it.
They found that earlier versions of the library that are still in use include a new component, ‘flatmap-stream’ version 0.1.1, that contains dangerous code. It was introduced three months ago after Dominic Tarr, the original developer of Event-Stream, gave up the library and passed it to another developer, right9ctrl.
Source: Bleeping Computer