Yes, but the same attack could happen if an attacker gains control of an npm module. Users without tight control over their modules could unwittingly pull in malicious code.
With dependency resolution and node_modules folders dozens of levels deep, it's pretty difficult to verify untrusted code hasn't been injected somewhere.