Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines.
It's, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected
http://dlvr.it/SLWDNN
http://dlvr.it/SLWDNN