Clickbait title.

The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like “noblox.js-vps,” “noblox.js-ssh,” and “noblox.js-secure,” and they were distributed across specific version ranges

Is there any indication that anyone actually installed these, other than some bots that auto download all packages and such?

You would have to really go out of your way to get infected by stuff like this.

That being said, there are things npm could do to try to auto-detect “risky” packages (new, similar name to existing projects, few downloads, etc.) and require an additional layer of confirmation, or something like that.