But that is dumb luck. Release an exploit, hope you can then gain further entry into a system at a company that is both high value and doesn't have any basic security practices in place.

That could have netted the attacker something much more valuable, but it is pure hit or miss and it requires more skill and patience for a payoff.

VS blast out some crypto stealing code and grab as many funds as possible before being found out.

> Lots of people/organisations are going to be complacent and leave you with valid credentials

You'd get non-root credentials on lots of dev machines, and likely some non-root credentials on prod machines, and possibly root access to some poorly configured machines.

Two factor is still in place, you only have whatever creds that NPM install was ran with. Plenty of the really high value prod targets may very well be on machines that don't even have publicly routable IPs.

With a large enough blast radius, this may have worked, but it wouldn't be guaranteed.