JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
.php cgi-bin images admin includes search .html cache login modules templates plugins wp-admin themes js index xmlrpc wp-includes media wp-content css language tmp scripts register misc install ...