Three of these included obfuscated payloads designed to download additional malicious components. The similarities between the npm package and compromised VSCode extensions suggest the same threat ...