Cybersecurity experts discover a year-long npm attack stealing sensitive data and mining cryptocurrency via hidden dependencies.