If you are worried about the recent Lazarus group software supply chain attack, you should consider having guard rails that is more than conventional SCA. `vet` detects the package (version) published in the report as malware.Try out vet, its free and open source:
https://github.com/safedep/vet
More details on the attack:
https://www.nodejs-security.com/blog/north-korea-malware-on-...