Well, how do you know it's "just" a mirror service, and it is not using a zero-day to exploit your system, by installing a root-kit or copying your code to their servers?
If you're concerned about injection into a third-party package, you should be using `package-lock.json` (or equiv) and integrity hashing your dependencies at install time.
I'll admit I don't know the specifics of how NPM works or if it's even a valid concern. But cybersecurity is becoming much more about a power grab than actual hacking these days. And if you depend on things in China for your American company, you can bet that will be on the table for any future attacks.
I agree that it's a valid concern.