NPM has about 4 million packages, Maven Central has about 3 million packages.

If this were true, wouldn't there have been at least one Maven attack by now, considering the number of NPM attacks that we've seen?

Been a while since I looked into this, but afaik Maven Central is run by Sonatype, which happens to be one of the major players for systems related to Supply Chain Security.

From what I remember (a few years old, things may have changed) they required devs to stage packages to a specific test env, packages were inspected not only for malware but also vulnerabilities before being released to the public.

NPM on the other hand... Write a package -> publish. Npm might scan for malware, they might do a few additional checks, but at least back when I looked into it nothing happened proactively.

There were. They're just not as popular here. For example https://www.sonatype.com/blog/malware-removed-from-maven-cen...

Maven is also a bit more complex than npm and had an issue in the system itself https://arxiv.org/html/2407.18760v4

As of 2024, Maven had 1.5 trillion requests annually vs npm's 4.5 trillion - regardless of package count, 3x more downloads in total does make it a very big target (numbers from https://www.sonatype.com/state-of-the-software-supply-chain/...).

One speculation would be is that most Java apps in the wild use way older Java versions (say 17/11, while the latest will LTS is 21).

Okay then, explain to me why this is only possible with NPM? Does it have a hidden "pwn" button that I don't know about?

No. Having many packages might not be the only reason to start an attack. This post shows it is/was possible in the Maven ecosystem: https://blog.oversecured.com/Introducing-MavenGate-a-supply-...

Hoe many daily downloads does Maven have?