[Benjammer]

A malicious change could have already been published somewhere else, couldn't it have? And we just haven't found it yet?

[Prefinem]

Just saying they didn't do nothing. Maybe they didn't do as well as they could have, but they did do something.

[mirashii]

Calling it resolved is worse than doing nothing. If they had done nothing, at least people would know that "If I run npm install now, that's bad". Now they've claimed it is resolved, which tells their users "It's okay to start installing things again" when it isn't safe until an audit has been completed.