Running npm install is a good way to get compromised.