Yes and no. The truth of the matter is supply-chain attacks in any repository are almost impossible to fully mitigate. The attack you linked sounds like a big and successful attack, but there are more minor attack attempts all the time. It’s the blessing and curse of every package manager that anyone can upload almost anything.

The upshot is that the most active repos have the most eyes. Not to say an attack won’t fly under the radar, but if the React or Angular packages (or their dependencies) start acting weird, it’s more likely that someone will notice, as there are people dedicated to auditing such things.

Furthermore, a lot of the smaller packages do “one thing” (see the infamous is-even package), so they are small and easy to self-audit if you are paranoid enough.

It’s not perfect, and there will always be more headlines about the next big attack, but it’s still a boon overall IMO.

I think one of the issues inherent to the node ecosystem is that the coast is never clear. When the ethos is to never reinvent the wheel, and instead pull in a dependency chain of thousands of tiny things made by thousands of people (not necessarily a bad thing, it saves time and lets developers focus on what they really want to do), you’re going to have supply chain attacks that go undetected, because nobody has time to vet every single change to all those thousands of things.