Because it is not a serious ecosystem run by serious people. Do you know what serious people do? They have package repositories with people called "maintainers", who are, crucially, trusted members of a community who don't write the software they package. "Oh but that's GATEKEEPING!", they screech. Yes, that's the entire point. Gatekeeping prevents shit like this from happening. There's a reason why this doesn't happen to Debian, but JavaScript developers get defensive and mean when you suggest that maybe the equivalent of a public S3 bucket isn't the best way to host a package repository.