A malicious JavaScript dependency reportedly evolved in plain sight, then used a trusted developer workflow and a legitimate AI platform as cover for a stealthier supply-chain operation.