Interesting, good to see there are security reviews in place that allowed this to be caught so quickly.
It is not an uncommon way of trying to get a backdoor from a company. Instead of attacking the company itself, you try to get the backdoor into a software you know they use and trust.
Not that many months ago another similar case was in the news, in that case, it was even worse, as the hackers had the ability to modify the software for over a year. The client group for this software included many fortune 500 companies, and also state departments in US.
Was it not last year, or two years ago one of the official node.js plugins for one of the blockchains has a similar breach? Where it sent the private key to a third party, allowing them to steal your funds.
In the end, this just goes to show that internal security control is important.
This includes the code/libraries you import into your codebase. While it is very convenient to use a third-party package, using it without reviewing it, or allowing it to automatically update the version, can open a can of worms if said package gets breached.
It is also not a bad idea to monitor the traffic on the servers since that allows you to spot anything that is out of the normal. If a server that normally only receives traffic, start to send traffic it should hit the alarm bells.