An educational resource that examines the structure and characteristics of malicious packages in software ecosystems, particularly focusing on JavaScript and NPM packages. The content explores different threat models for malware delivery through packages, distinguishing between in-browser and on-host attack scenarios. It analyzes attacker motivations and methodologies when targeting software supply chains through package repositories. The resource walks through hypothetical exercises demonstrating how malware functions within packages, ranging from simple temporary attacks to more complex persistent threats. It provides insights into the practical implementation of malicious code within legitimate-looking packages. The material covers the advantages that attackers gain when targeting package ecosystems and explains the different attack vectors available through compromised or malicious packages. It serves as an educational guide for understanding package-based security threats.