> I think you missed the mark a bit here. This wasn’t a dependency that was compromised, it was a dep that was malicious from the start.

You're making assumptions that I am making assumptions, but I wasn't making assumptions. I understand the attack.

> Package manager doesn’t really play into this.

It does, for the reasons I described.