I feel like the correct solution to these problems (across NPM and all similar package managers) is a web-of-trust audit system based on:

- Reviewing the source code in the actual published package

- Tooling that enable one to easily see a trusted diff between a package version and the previous version of that package

- Built-in support in the package manager CLIs to only install packages that have a sufficient number of manual reviews from trusted sources (+ no / not too many negative reviews). With manual review required to bypass these checks.

There are enough users of each package that such a system should not be too onerous on users once the infrastructure was in place.