That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.

That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.

> and similar package ecosystems altogether

Realistically, this is impossible.

Does this happen with CPAN?

At least they seemed to have policies:

https://security.metacpan.org/