You too can run malware from NPM (I mean without consequences)