JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
Copy cpu_rec.py and cpu_rec_corpus in the same directory. If you don't have the lzma module installed for your python (this tool works either with python3 or with python2 >= 2.4) then you should unxz ...