The supply chain attack in this case, would be injecting the exploit on a ci/cd system and escalating the local user who runs the npm code to root.

The proper response from them and you, should be to make sure to have some isolatin between user space and root like gvisor.