npm install will be called when I start my Vaadin application. It will therefore install new versions which might be infected. The second incident with npm could have caused problems on developer machines (if I understands it correctly).
I solution to that is to run npm ci on development, not only for productions build. See Why developers should use npm ci instead of npm install and its benefits — DeployBot Help Center
The ciBuild property in Vaadin Flow is only working for production builds (https://github.com/vaadin/flow/pull/15986). I think it would be great if there was an option to also use it for development builds. Have you considered that?