as someone that likes the npm package ecosystem but is not fond of malware - ended up building a CLI wrapper around npm to only install packages older than a configurable amount of days.

in case folks find it helpful: https://github.com/kevinslin/safe-npm