Lazarus Group concealed a four-module remote access toolkit inside six fake npm Rollup polyfill packages that fired at import ...
If you're considering PuppeteerSharp for PDF generation, here's the version of the story that doesn't show up in the "getting started" docs.