The packages carry backdoors that first collect environment information and then delete entire application directories.

Two malicious NPM packages contain code that would delete production systems when triggered with the right credentials.