NPM supply chain attack compromised 18 popular JavaScript packages, swapping crypto wallet addresses, but quick detection limited losses to under $500 despite billions of potential exposures.