Woah, rather than selling security exploits, there's now a black market selling access to compromised corporate networks! https://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/
miniblog.
Related Posts
Today's compromised npm package: https://github.com/dominictarr/event-stream/issues/116 only had the malicious code in the minified version.
We don't always think of JS as a compiled language, but reproducible/verifiable compilation would have helped here.