it probably has multiple ways - infected npm packages, quickly exploiting CVEs before they are patched, ...