Npm developers can relate to Windows being a target because it’s the most popular package manager.

Why would you target xyz pkg niche manager knowing that only 200 people will install them?

NPM does perform active offline & online vuln scanning on the packages. Everyone can do more, but they are going to be the #1 target.