The attacker used at least three Node dependencies in the attack, just checking for atomic-lockfile is not enough. The names js-digest and lockfile-js were also used, and at some point the attacker switched to bun instead of npm.

Also see: https://github.com/lenucksi/aur-malware-check

I love that even when trying to put malware into Arch Linux AUR, the malware is still distributed through NPM. Legendary platform.