“We all dodged a massive bullet”

I don’t think we did. I think it is entirely plausible that more sophisticated attacks ARE getting into the npm ecosystem.