The maintainer whose account was compromised had reused their npm password on several other sites and did not have two-factor authentication enabled on their npm account.Notice how they desperately try to avoid mentioning his name. Nobody may ever be responsible for anything, after all.