It's a public repository of stuff. End of story. Why should NPM do the job of vetting everything? They aren't getting paid for it (or most of it).
https://www.npmjs.com/about
> Headquartered in California, [GitHub] has been a subsidiary of Microsoft since 2018.
https://en.wikipedia.org/wiki/GitHub
I think they're effectively a department that generates a lot of PR. They have paid security staff.
https://jobspresso.co/job/software-engineer-platform-2-2-2-2...
This is a job posting for a security engineer at npm from July 4, that appears filled to me. I'm sure as an organization npm inc. is aware of vulnerabilities in their core product, so there's internal back and forth - the usual stuff.
It's a public repository of stuff. End of story. Why should NPM do the job of vetting everything? They aren't getting paid for it (or most of it).