npm packages with 2.6 billion weekly downloads hijacked—attackers inject browser malware to steal crypto, replacing wallet addresses in 18 major libraries