Did a security researcher at Snyk really just publish malicious packages to NPM targeting Cursor.com?