A lot of the recent npm attacks have been exfiltration from dev machines, which would just as likely from dev dependencies.