All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually.

Remove the package from your environment and ensure any compromised credentials are rotated.