Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm (Node Package Manager).