Received a response, not sure how I feel about it:
Hi Aravinth,
its not a supply chain attack - the old version of the packages on NPM
would still exist on npmjs.com. However the new versions would either be
exclusive on PayDevs or delay-published after several weeks/month. Manual
or automated builds would not be affected - they would only not get new
features or bugfixes.
A dual-licensing approach would also be possible but even more problematic
as companies would suddenly pull GPL code from the public NPM and “infect”
code. Not everyone watches the licenses with each version update.
Cheers,