Hackers hijack NPM packages with 2B weekly downloads in supply chain attack