I don't really buy this. NPM is targeted because it's the largest attack surface with the biggest payoff for a successful attack.

Other ecosystems package managers are really no different in a lot of ways.

NPM's biggest fault is just it allows post/pre install scripts by default without user intervention.