What a state of things where we have to fear installing software, and rely on vendors to scan things ahead of time, because our supply chain is such a mess and our tooling is so incapable of (and uninterested in) protecting us.
What would a solution to this look like?
What would it take to not fear installing software? This isn't a npm problem, its a computing problem in general. Spaces like this are generally pretty against any sort of restrictions or limitations being put on computers under the name of safety (see Manifest v3)
No way to prevent this says only package manager where this regularly happens.
You cannot call it a supply chain, if you have zero contractual relationships with the authors of the solutions you are using.
[1] https://news.ycombinator.com/item?id=44434355