I just made a very similar comment. Spot on. It's laughable to think that this trivial opportunity that literally any developer could pull off with a couple of thousand dollars is a one-in-a-million. North Korea probably has enough money to buy up a significant percentage of all popular npm dependencies and most people would sell willingly and unwittingly.

In the case of North Korea, it's really crazy because hackers over there can do this legally in their own country, with the support of their government!

And most popular npm developers are broke.

actually, unless you are billionaire or high profile individual

You wouldn't get targeted not because they cant but its not worth it

many state sponsored attack is well documented in a lot of book that people can read they don't want to add much record because its create buzz