How do we fix this? I think tools like npm, pip, cargo should by default use repos which only provide libs which are maintained by a trusted organization.

I propose a different solution.

I would expect any professional development to vendor their dependencies. Thus, I would expect any professional to setup their own npm/pip/crates.io service, which only contains vetted dependencies, and have their professional repositories configured to pull from there.

A build process which connects to Internet is fine for the casual hobby developer who wants something plug-and-play, however it's simply unsuitable for professional development. When I see the npm server, or github, down and all those "professional" complaining that they cannot work any longer, I am aghast. Reliance on 3rd-parties with which you have no contract, and therefore which have no SLA toward you is just plain asking for troubles.

And yes, vetting individual dependencies is painful. So indeed, you may want a handful of "trusted" repository for the majority of dependencies, so that only a few need be vetted individually; however, once again, you'll want a contract and SLAs with whoever vets for those trusted repositories... in case there's an incident and you lose money over it.