Larger discussion thread here: https://news.ycombinator.com/item?id=45260741

I scanned this discussion looking for a way to tell if you've been compromised but nothing jumped out.

If you’re a package maintainer, please defensively revoke all NPM and GitHub tokens. This is a worm which is still spreading and you probably don’t want to publish anything today anyways, so you might as well use this incident as an opportunity to rotate everything.