Someone should eradicate the npm ecosystem and start from scratch. No sane package manager would allow to run arbitrary scripts or download stuff from God knows where, like random github repos.
npm is now a private company right? It does also look like they have already gone through enshittification and don't even seem to have publicly acknowledged this attack.