So the exploit redirected update traffic. Does that mean anyone who ran updates in that time period could have downloaded a compromised version and their machine would be infected?

Why isn’t that covered in the post?

I’m a software engineer who does woodworking, and I approve this message.

But my favorite explanation: you grab your hand saw, and it works. You don’t find out that the latest npm japanese-hand-saw-tooth package is incompatible with plywood, and you need to downgrade the package or buy new plywood to make a cut.