SHA-256 of binding.gyp file shared across confirmed LeoPlatform/RStreams malicious npm package set; triggers node-gyp install-time execution