Unlike most open-source attacks where malicious packages are being executed upon installation, researchers at Checkmarx, told SC Media that the payload is hidden in multiple strategic locations and only executes when the victims use the actual functions of the packages, which makes the campaign hard to detect by many security scanners.