I was responsible for dev-ops, ci, workstation security at my previous position.

Containerize all of your dev environments and lock dependency files to only resolve to a specific version of a dependency that is known safe.

Never do global installs directly, ideally don't even install node outside of a container.

Lag dependency updates by a couple weeks, and enable automated security scans like dependabot on GH. Do not allow automated updates, and verify every dependency prior to updating.

If you work on anything remotely sensitive, especially crypto adjacent, expect to be a target and use a dedicated workstation that you wipe regularly.

Sounds tedious, but thats the job.

Alternatively you could find a job outside the JS ecosystem, you'll likely get a pay bump too.