I think the biggest problem with npm is just that it is very popular, so for attackers the chance of hitting something with their attack is bigger than with other systems.

I guess that makes sense. For peak security I guess its best to use a niche programming languages to avoid that kind of thing