An npm package demonstrating how packages can steal your data (but not actually doing so!)
This captures the environment variable $PLEASE_STEAL_THESE_CREDENTIALS and sends it to an evil site when the package is installed or required.
The evil site in question is evil.test - note that .test is a reserved TLD, which will never resolve, and so these requests will always fail, that's OK.