A coordinated software supply chain attack struck the npm package registry on May 19, compromising more than 300 packages through a single stolen maintainer account.