Supply chain attackers have hijacked at least two npm packages and a cluster of Go modules, repurposing them to silently deploy a Python-based information stealer on developer machines running Windows