> all the malware did was modify the destination addresses of cryptocurrency payments mediated via online wallets like MetaMask
A clarification: Despite MetaMask depending on the compromised packages it was not directly affected because:
1) packages were not updated while the compromise was live
2) MetaMask uses LavaMoat for install-time and run-time protections against compromised packages
However the payload did attempt to compromise other pages that interact with wallets like MetaMask.