Just goes to show
You do not have production servers depend on unknown code.
Known code is code you have evaluated, reviewed and tested, and should be stored on a server you control.
When you are notified of an update, you evaluate the necessity of the update, review the new code if the update is necessary for you, and apply it to your test server only if you do intend to use it. There, you test it thoroughly and validate its merging with production code on servers you control.
This form of attack only works because everyone is abandoning their duty of care and just blindly trusting dozens of people they don't know to do things right. That's like hiring a cleaning lady and getting ten people shuffling around your house, doing things that are not necessarily related to cleaning. You'd have to be mad to accept that, but when it's code, you just can't be bothered (I know, might not have the time either - doesn't mean it's a good situation).