Since quite some time unknown threat actors are trying to inject / publish malicious npm packages into the software registry with the goal to e.g. discover and exfiltrate sensitive data (private SSH keys, bash history, credentials, environment variables).
Based on an article published a few months ago in Hunting Malicious npm Packages | Decipher a new VT to check for such malicious npm packages was created in June 2018:
On authenticated scans against a Linux target (see requirements on target systems with linux for more information) the VT will report any detected malicious npm packages.
Just recently coverage for the package
flatmap-stream (which had the goal to steal a bitcoin wallet from users of Copay) was added.