Yeah, the one prominent thing that is missing from NPM packaging procedure is the PGP/GnuPG signing procedure.
Otherwise, it is way too easy to automate the submission.
How would package signing have prevented this?
It makes a lot more sense to use cryptography to verify that releases are not malicious directly. Tools like crev [1], vouch [2], and cargo-vet [3] allow you to trust your colleagues or specific people to review packages before you install them. That way you don't have to trust their authors or package repositories at all.
That seems like a much more viable path forward than expecting package repositories to audit packages or trying to assign trust onto random developers.
[1]: https://github.com/crev-dev/crev [2]: https://github.com/vouch-dev/vouch [3]: https://github.com/mozilla/cargo-vet