This is a problem. But comparatively not many high-profile break-ins have been due to npm (in spite of its massive popularity).
If you picked Node, common best practices need to be followed for production:
1) Thoroughly vet dependencies you bring in. Pin to exact patch versions in package.json. npm-shrinkwrap.
2) Add code in tree when possible (prefer StackOverflow snippets over npm).
3) Prefer light modules with fewer features. Always check their dependencies.
There will still be some vulnerabilities from time to time. But if you've been somewhat careful, most of them tend to happen among devDependencies, which is usually safe. To go further, cut out devDependencies too; for example use a shell script along with esbuild instead of bringing in a heavy-duty bundler.
I would say keep an eye on dev dependencies which are a part of the build process. Malicious code there could easily append malicious code to the production build, even if you have a deployment server setup. This is just as dangerous as a malicious production dependency.
Be careful with stackoverflow though. Some highly upvoted answers are sometimes broken or even dangerous. But reading the tiny comments and other answers is usually enough to identify a better solution.
If you picked Node, common best practices need to be followed for production:
1) Thoroughly vet dependencies you bring in. Pin to exact patch versions in package.json. npm-shrinkwrap.
2) Add code in tree when possible (prefer StackOverflow snippets over npm).
3) Prefer light modules with fewer features. Always check their dependencies.
There will still be some vulnerabilities from time to time. But if you've been somewhat careful, most of them tend to happen among devDependencies, which is usually safe. To go further, cut out devDependencies too; for example use a shell script along with esbuild instead of bringing in a heavy-duty bundler.