Attackers used 11 Go and 2 npm packages to spread malware across platforms, putting open-source developers at risk.