California based NPM Inc, curators of the npm javascript package collection, have admitted their command line based 'npm' package manager has for a very long time included a pheature helpfully allowing malware to walk filesystems in search of crypto keys (archived). Facebook's 'yarn' alternative client for NPM's package collection also included a very similar pheature.