The real problem here is when you had old packages that include the infected packages.
You have to go an update everything to the latest version, possibly breaking stuff and pray that npm ls event-stream flatmap-stream does not show anything suspicious.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The real problem here is when you had old packages that include the infected packages.
You have to go an update everything to the latest version, possibly breaking stuff and pray that
npm ls event-stream flatmap-stream
does not show anything suspicious.