How is it a smart move? Here, Microsoft is training users to ignore a security warning. If the same mechanism were added to NPM (that is, a warning that the package is suspicious and for the user to be extra sure they want it), users would have been trained to ignore any security warning issued for the compromised axios version (just like they had ignored it for all previous "clean" versions) and installed it anyway.

The relevant heuristic in NPM supply-chain compromises would be the age of the specific binary. i.e. a freshly released package is riskier than one that's been around for a few days. So perhaps the policy should be that NPM doesn't install new package versions unless they've been public for 24 hours, or there's a signed override from the package repository itself stating that the update fixes a security issue. Of course, that would also require the NPM team have a separate review process for signing urgent security fixes.