I was with it until he got to the bit about pen testers:
What hours do they work? My code doesn’t send anything between 7am and 7pm. It halves my haul, but 95% reduces my chances of getting caught.
7am to 7pm where? Is there any basis for the conclusion that no pen testers work on off-hours, or that none live in a different time zone from whichever one he's using?
I also find it difficult to believe that the detection methods he describes are the only ones available. This also presumes that you're putting your credit card info into a site that uses nodeJS to begin with. Especially because this issue, i.e. the lack of verification on npm packages, has been known about for years. I mean, I read about it years ago, and I'm hardly on the cutting edge of network security.