MESSAGE FROM @Qix- : PLEASE SEE #1005 (comment) FOR LATEST UPDATES.

Version not present in this repo has been pushed out to npm.
https://www.npmjs.com/package/debug/v/4.4.2?activeTab=code
src/index.js seems to contain a cryptominer installer something like a cryptostealer?
My brain is too foggy to figure out, but seems as if most of the payload doesn't actually run if typeof window == undefined as is the case in NodeJS runtime?