The audacity of cybercriminals has reached new heights, as they have now infiltrated the most sacred of developer spaces: npm and VS Code packages. Experts suggest a new career path for hackers: professional scavenger hunters, given their talent for snatching hostnames, IP addresses, and user directories of unsuspecting developers.

Three mysterious developer accounts, possibly operated by basement-dwelling geniuses with too much free time, became overnight celebrities among cyber sleuths for successfully turning benign-sounding packages into data-harvesting machines. Game-changing install-time scripts were smuggled in and acted faster than a college kid downing ramen noodles.

It’s rumored that these cyber tricksters had their sights set on some discordant prize, reportedly funneling all stolen data to a Discord-controlled endpoint. In an ironic twist of fate, that’s probably where all the world’s bitcoins are also gathered for a virtual happy hour.