Packagist packages hid malicious package.json scripts, enabling Linux binary execution during installs and workflows.