A new playground: Malicious campaigns proliferate from VSCode to npm