Obtaining software from a separate distribution project with a review process is one mitigation,1 and has other benefits besides.2
180+ NPM Packages Hit in Major Supply Chain Attack: Trojanized package stealing maintainer credentials
19 npm Packages Compromised in Major Supply-Chain Attack: Maintainer spear-phishing
Drew DeVault, “Developers Shouldn’t Distribute Their Own Software,” December 9, 2019, https://drewdevault.com/2019/12/09/Developers-shouldnt-distribute.html; cite: Drew DeVault, “When Will We Learn?,” May 12, 2022, https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html.
Drew DeVault, “Developers: Let Distros Do Their Job,” September 27, 2021, https://drewdevault.com/2021/09/27/Let-distros-do-their-job.html.