People treating random code they found on the internet as if it came from a “supply chain” is the real problem.

In an actual supply chain, you have a relationship with a supplier who provides goods or services that meet an agreed specification, in exchange for agreed compensation.

The random person who published an npm package you use owes you nothing and you have no reason to trust them, believe that they are who they say they are, or that the code they ostensibly published does as it claims.