Just like last few supply chain attacks in npm ecosystem this again was splendidly caught by every single npm registry monitoring firm and they made a big noise about it. except one firm which should have found it and stopped this first. npmjs is just not able to find these malicious behaviour. I cant accept and digest the fact that a firm acquired by github in 2020 which was aquired by microsoft in 2018 is not able to spot these signs. (effectively npmjs is owned by microsoft so i do point a large finger towards microsoft)
Many hundreds of thousands arguments can be made but the ground reality is microsoft via github via npmjs is running a registry system which is riff with bugs and they dont want to take meaningful corrective actions.