Two destructive NPM packages masquerading as WhatsApp development tools have wiped files from developers' systems, leveraging a kill switch to avoid Indonesian targets. Separately, 11 typosquatting Go packages execute remote payloads, highlighting escalating supply chain threats. Socket researchers warn these incidents expose critical vulnerabilities in open-source ecosystems.