https://github.blog/security/supply-chain-security/our-plan-...

So github has some tools available to mitigate some of the problems tied to it. Probably not perfect for all use cases. But considering the current scale, it doesn't seem to have any effect, as enough publishers seem not to care.

I think npm should force higher standards on popular packages.