If I understand, the malware is installed via npm from some subshell. But yeah I totally believe you have a detailed review of every package-lock.json and etc.

What is npm?

I installed dwm from AUR once, then Prusa slicer.

Dwm PKGBUILD lists patches, so it's kind of obvious one needs to check them to choose what patches they want.

Prusa slices is downoaded from the official website.

I think you live in a different world ;-)