This post was inspired by the “‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens” articles released by The Onion. It may contain sarcasm.

Edit: Besides some personal threats I have received in response to this parody/sarcastic joke, I have been asked to make suggestions how to fix the problem, here’s an incomplete list of what I personally think is wrong with npm:

npm (client and registry) is a flawed system, and would need to be completely replaced, the new system should have the following features to mitigate the possibility of such incidents:

No unscoped packages

Scopes are 1-to-1 bound to a single user/organization

Publishing packages requires 2FA, the package must be signed via GPG

Unpublishing packages is not allowed for anyone but the registry maintainers (Yanking, as Rust’s cargo does it, is another possible solution)

Fuzzy dependency versions (^2.0.0 and alike) should not be allowed in final versions. Multiple times I have witnessed npm modifying the package lock file of a project when running npm install after a fresh clone, downloading newer versions of transitive dependencies than those specified in the lock file

In regards to the whole ecosystem: TC39 should take a look into adding a better standard library to JS itself, which would reduce the amount of one-liner packages. There is an active proposal, which is however met with contempt by many JS community members.