The malicious packages targeted users of some of the largest ecosystems for JavaScript developers, including React, Vue, and Vite. The specific packages were: js-bomb; js-hood; vite-plugin-bomb-extend ...