It's insane indeed, this stunt wrecked Googles official firebade cli app for npm. Google is full of talented developers and org is supposedly security minded, how does something like that get through. People pay top dollar to use their cloud services.

From what I read in other comments, one of the possible motives of this action is to teach a lesson to these billion dollar companies who are piggybacking on OSS without giving back a single cent to the developers.

They are. The problem is the prevalence of version ranges, which were never part of semantic versioning and instead added by npm. The author published a new version as a patch release which means everyone using version ranges automatically pulled it.