I agree it's hard. But it's actually easier in professional settings. There are funds and you don't have an excuse to be lazy.

At minimum whatever you are working on should be built in docker. The package installation then would happen during the image build step. Yes it's easy to break out of the isolation environment but i am betting this malware does not.

NPM tokens should exist in some configuration/secret management solution not on your home directory. Devs have no business holding the NPM tokens. Same goes for sensitive environment variables they have no business existing on dev laptops or even the pipeline build steps (where package installation should happen).

AWS etc credentials / tokens are harder to secure since there are legit reasons for existing in dev laptops.

Docker is also not a silver bullet. Again, what you're claiming to be easy is often times exceedingly difficult or frictional, especially on established teams. I don't disagree that comparmentalization is important but security solutions are only as effective as their practical feasibility.