Claude Mythos stays locked up, supply chain attacks hit npm and open source maintainers