The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
Basically $EVIL_HACKER issues a pull request against a large number of open source git repos of popular npm packages to fix bugs. In fixing bugs, $EVIL_HACKER adds logging, and make it look all pretty using their npm package that lets you colourise the log messages. This package is then a dependancy for the more popular package and $EVIL_HACKER owns the code in this package.
Through various shenanigans, the malicious code doesn’t appear in the git repo, and for the installed packages it’s reasonably well hidden, minified and otherwise obscured such that it’s incredibly unlikely to be noticed.
The malicious package then takes a number of steps to avoid detection and sits there in the background silently submitting form data to their server – this can be logins, credit card details, personal information – anything submitted in a form on a page on which the malicious pretty log formatting code is run.