Malicious npm packages like ‘requests-promises’ mimic trusted libraries. Here’s how devs are being tricked and how to stay protected.