If you’re a package maintainer, please defensively revoke all NPM and GitHub tokens. This is a worm which is still spreading and you probably don’t want to publish anything today anyways, so you might as well use this incident as an opportunity to rotate everything.
Larger discussion thread here: https://news.ycombinator.com/item?id=45260741