The Sept. 8 NPM hack injected clipper malware into tampered NPM packages, targeting crypto address fields. Major services say no funds were lost; developers and users should verify package integrity,
