I think the difference is between sharing the code and pushing dodgy code down into npm. Which is my misunderstanding.
Pushing this dodgy code down to end users in Russia/Ukraine is a cyberattack.