So the npm exploit happened because the developer was on bluesky and clicked on an email from them.

Had he been on Nostr, all those npm packages wouldn't have gotten compromised.