Installing npm packages feels like playing russian roulette these days. This is 100x times worse than the other attack.

So it sounds like it isn't just a supply chain attack anymore-- It's a Trojan horse via supply chain that can replicate. Reminds me of early 2000's viruses.