Attackers are compromising open-source packages to spread malware. Cyber defenders are asked to review dependencies to reduce risks