If you are worried about the recent Lazarus group software supply chain attack, you should consider having guard rails that is more than conventional SCA. `vet` detects the package (version) published in the report as malware.
Try out vet, its free and open source: https://github.com/safedep/vet
More details on the attack: https://www.nodejs-security.com/blog/north-korea-malware-on-...