Slipping an exploit into an npm package doesn't let you easily run away with tens/hundreds of millions of dollars in the same way web3 projects do.
That said, I personally doubt this happens much if at all, because if you want to scam on web3 you can just do a good old-fashioned pump&dump and nobody seems to be receiving any legal/criminal consequences as of yet.
That said, I personally doubt this happens much if at all, because if you want to scam on web3 you can just do a good old-fashioned pump&dump and nobody seems to be receiving any legal/criminal consequences as of yet.