According to recent research from cybersecurity company JFrog, malware that targets the npm ecosystem can avoid security checks by exploiting a “unexpected behaviour” in the tool’s command line interface (CLI). The issue alone occurs when a hyphen, which is used to indicate a pre-release version of a npm module, is included in the installed package version.
The install and audit commands in the npm CLI may automatically scan a package and all of its dependencies for known security weaknesses, thereby serving as a warning system for developers by pointing out the problems.