Two coordinated supply-chain attacks, TrapDoor and a 176-package npm campaign, are targeting developers. These attacks exploit package repositories to steal.