Thx for sharing. From what I understand:

Your repo had a GitHub Action that ran on every PR.
An attacker submitted a malicious PR that modified the Action to steal your npm token.

Was the main cause a GitHub Action misconfiguration?