Sonatype Security Research has identified two malicious npm packages — sbx-mask and touch-adv — that appear to result from a compromised maintainer account rather than intentional malicious creation.