I received one of these today too, as part of helping a company out. If npm install etc is ran, gives full access to malware at user leverl