> all the malware did was modify the destination addresses of cryptocurrency payments mediated via online wallets like MetaMask

A clarification: Despite MetaMask depending on the compromised packages it was not directly affected because: 1) packages were not updated while the compromise was live 2) MetaMask uses LavaMoat for install-time and run-time protections against compromised packages

However the payload did attempt to compromise other pages that interact with wallets like MetaMask.

Disclaimer: I worked on LavaMoat

LavaMoat: https://github.com/lavamoat/lavamoat