Linux distributions packages are also very trust driven — but you have to earn trust to publish. Then there is whole system to verify trust. NPM is more like „everything goes”.

The sheer volume is the issue. Recent XZ backdoor shows it can happen to everyone. I am pretty sure JS has most packages, updates and contributors - and it makes it the best ecosystem to target. That anemic standard library doesn't help of course, but 2FA and package signing is required for all package repositories, here and now.

It woudl'nt have solved this, because this publisher would have been trusted.