What's more likely, the real npm site has a subdomain with XSS (IIRC the issue you linked) or you are manually filling your password into a phishing site?

There's strong evidence that the latter is a more common concern.

What I'm saying is that autofill is a current method of credential extraction that should be avoided.

You don't have to believe me, read the links.