“It looks like this npm package is stealing env variables on install, using your cross-env package as bait”