A new large-scale attack on a popular JavaScript code registry has hit around 150 packages. The automatic propagation of the threat makes it especially dangerous — developers need to react ASAP.