I 100% agree and I kind of wonder why this doesn't seem to be a problem with similar repositories like maven. That doesn't seem to hit HN every 1-2 weeks with a new security flaw/compromised package so they seem to be doing something right, whatever that may be.
It's likely to be a combination of several things. Npm is trendy and has a low threshold for getting started, plus the fact that adding eg. bitcoin miners to a website is a nice way to decentralize and ramp up mining capacity.
Maven on the other hand define several requirements, such as all files in a package being signed, more metadata and they also provide free tools the developers can use to improve the quality of a package.
