“Just installing dependencies executes the backdoor. The npm prepare script runs automatically after npm install.”
A fake recruiter sent a real-looking coding assignment, and just running npm install fired the backdoor through a prepare script. The attacker wore the identities of actual professionals to look legit. The whole scam runs on the habit of trusting a repo enough to install it. Read the code before you run it, or the job offer installs you.