If you have tens of thousands of repos with branches to match you'll be scanning all year.

Proxy NPM with something like Artifactory which stops the bad package getting back in or ending up in any new builds.

Follow it up with endpoint protection to weed the package out of the local checked out copies and .npm on the individual dev boxes.