More packages poisoned in npm attack, but would-be crypto thieves left pocket change