Love Socket! A lot of folks (think most) were loading the compromised package through another package, @ledgerhq/connect-kit-loader [1], via a CDN call [2]. Would be great if Socket could pick up on this because Socket's @ledgerhq/connect-kit-loader page [3] doesn't include any warning.
We don't currently detect 'implicit dependencies' loaded via CDN URLs, though we'll look into what it would take to support this.