They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.
replyPerhaps there were other vectors, but npm was the one used here.
replyAnd yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.