Obviously blocking install scripts is a good thing, but this is just a false sense of security. If you install a package you will likely execute some code from it too, so the malware can just run then. And that is what the next attack will do as everyone starts using pnpm (or if npm blocks it too).

It's not a false sense of security imo. Code often runs in its own environment, for example a container. We're "used to" sandboxing/ isolating runtime code. It's the package installation process that gets less attention.