The maintainer for a piece of code that is widely used got owned, and apparently in that process the attacker slipped in malicious code to these pieces of code 'packages'