How is this situation any different from any other ecosystem? I think you don't have an argument here other than that npm is a relatively large public repository. Bad actors and ignorant developers are everywhere else too.

There are plenty of npm features to help assess packages and prevent unintended updates, but nothing replaces due diligence.