Attackers invite targets to collaborate on a project, convincing them to download and run a repository with malicious npm dependencies.