The approach embodied by package managers like npm - but also Python, Go, and others besides - is fundamentally broken. The software maintainers should not be the sole point of failure in publishing their package.
The approach used by distributions is much, much better. Having a separate team of people responsible for packaging up software is a much better approach. This would allow the security patches to get in, help enforce a sane baseline of packaging standards, prevent the introduction of malware, and have someone accountable whose interests align more with downstream than upstream.
Using a package manager like npm does not prevent having a separate team of people responsible for validating and re-publishing packages under their own namespace. A new organization could step in and make their own whitelist at any time.
The approach used by distributions is much, much better. Having a separate team of people responsible for packaging up software is a much better approach. This would allow the security patches to get in, help enforce a sane baseline of packaging standards, prevent the introduction of malware, and have someone accountable whose interests align more with downstream than upstream.