An important NPM developer, Qix, has compromised their account. It has been used to push the malware that turns and looks for the Bitcoin and cryptocurrency wallets on user devices. If detected, the malware limit to the patch of the functions of the code used to coordinate the signing of the transactions and replace the address to which a user is trying to send money with one of the addresses of the creator of malware.
This should mainly be a concern for web portfolio users, then in the ordinal or ecosystems of Bitcoin or Rune/other token users, since unless an update for the normal software wallet is pushed just with the compromised addiction or if your portfolio dynamically loads the code directly from the back-end of the bypass portfolio of the App-Store, it should be good.
NPM is a manager of packages for node.js, a famous Javascript framework. This means that it is used to grasp large pre-scancified code sets used for the integration of common features in different programs without the developer having to rewrite the basic functions alone.
The targeted packages were not specific to the cryptocurrency, but the packages used by countless normal applications built with node.js, not only a cryptocurrency wallets.
If you use a hardware wallet in combination with your web wallet, be careful to check on the device itself that even the destination address you are sending is corrected before signing something.
If you are using the software keys in the web wallet itself, it would be advisable not to open or translate them until you are sure not to perform a vulnerable version of the wallet. The safest course of action would be waiting for an announcement of the team that develops the portfolio you use.