There are few ideas which come to my mind, some might be far fetched, taking NPM as an example.
- Restricting packages with similar names as of popular packages restrict expres because express is a popular package.
- Imposing stricter 2FA checks on accounts of authors of these packages.
- Making sure that published packages don't have vulnerabilities and clear npm audit.
- Alerts in case these packages contain a dependency which is new / relatively new.
Pre-publish to official security orgs. Does not get released into the wild until k of N auditors agree.