Comment by robshippr

Three hours between the malicious publish and npm pulling the versions. If your CI ran an install during that window, this went straight to prod. Most teams I've worked with still have loose version ranges somewhere in their dependency tree even if they think they've locked everything down.