This list is incomplete - at least one other package (nx-console VS code extension; 2.2M downloads) was compromised yesterday with this worm: if suitably qualified/connected people are reading this, it could be worth following that dependency chain too in case there are more. See here:

https://github.com/nrwl/nx-console/security/advisories/GHSA-...

PS: I posted on HN to try and alert people right after it was compromised but sadly got almost no upvotes :-(