What makes you so sure that the exploit is over? Maybe they wanted their secondary exploit to get caught to give everyone a sense of security? Their primary exploit might still be lurking somewhere in the code?

Well, because it is really easy to diff an npm package.

The attacker had access to the user's npm repository only.