My understanding is, it's a worm that injects itself into the current package and publishes infected code to npm.