I don't get this explanation. How does it force you to run the infection code?

Yes, if you depend on an infected package, sure. But then I'd expect not just a list, but a graph outlining which package infected which other package. Overall I don't understand this at all.

Look at the diff in the article, it shows the “inject” part: the malicious file is added to the “preinstall” attribute in the package.json.