The problem isn't really NodeJS this can happen to Java, Go, Rust, … and many other languages as well.
The problem is verifying your dependencies. Maybe we should start to sign node packages, but remember what mess this would cause since you sometimes load more than a thousand different packages from more than hundred different vendors which would need you to verify more than one hundred keys when you just want to install a single piece of software.
Npm put the concept of component based development at its core.
This is a valid thing but people don't consider the implications. In Component-driven development you have to trust your component vendors. I know this is something some people hate, but welcome to how the world works.
The problem in the node ecosystem is that trust is cheap to get and there are often no big vendors for tons of components