A widespread 'Polyglot' supply chain attack has been detected targeting popular JavaScript framework plugins. Attackers are publishing malicious packages that appear as legitimate TypeScript definitions but contain obfuscated post-install scripts. These scripts target development environments to steal environment variables (specifically cloud provider tokens) and inject persistent backdoors into the final web bundle. The attack highlights a growing trend of targeting the 'build-time' rather than 'run-time' of web applications. Security teams are advised to lock dependency versions and use tools like socket.dev or npm audit to scan for suspicious post-install behavior.