Unknown attackers have compromised several popular npm packages in a supply-chain attack.