I'm surprised the blockchain gang isn't coming up with a solution for trustless npm packages or is it that a blockchain can't solve the problem of a trusted developer suddenly becoming untrustworthy?
> solve the problem of a trusted developer suddenly becoming untrustworthy?
This would be an exceptionally hard problem to solve, with-or-without blockchain.
Could you develop a system where any new releases are required to be reviewed and "signed off" by a random assortment of users before becoming "active"? Sure.
Is "blockchain" necessary for that? No.
This exists, it's called crev: https://github.com/crev-dev/crev
As you note, this doesn't require a blockchain. crev uses a web-of-trust model which is pretty well suited to the task.