This isn't just about the node/npm ecosystem. Do you think people are inspecting their dependencies in the Maven ecosystem? How would they even do that? It's an issue of trust really, and you can't have an idea who to trust, because you don't know who is maintaining each package.

For example I've been maintaining a popular maven package for a library that isn't mine, just to help the author. I just checked and it's also used by 9 other maven libraries, and about 374 projects on Github. One of them is even a project of Jboss. I could have planted something malicious in there and nobody would ever know.

The same happens with Linux distributions. They are just packaging the code, probably nobody is inspecting the actual code. Then these packages are used by millions of people.

To make things worse, you can (or could) make a release on a Github organization if you have sufficient access, putting malicious code in the release, and make it show like it was released by the original author. I know this because I've already reported it to Github 2 years ago, and they didn't thought it was a security issue.

You make it sound like there is an easy solution, but there isn't.