The sheer volume is the issue. Recent XZ backdoor shows it can happen to everyone. I am pretty sure JS has most packages, updates and contributors - and it makes it the best ecosystem to target. That anemic standard library doesn't help of course, but 2FA and package signing is required for all package repositories, here and now.