An advanced malware campaign on the npm registry steals the very keys that control enterprise cloud infrastructure.