art-template npm Coruna Browser Exploit Compromise
Unauthorized art-template releases 4.13.3, 4.13.5, and 4.13.6 modified the browser bundle to load remote JavaScript. The later chain delivered a Coruna iOS exploit framework; npm has removed 4.13.5 and 4.13.6, while 4.13.2 remains the last verified clean release.