npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user