Like most people, I have my issues with NPM. But this is a big problem for any platform that hosts large amounts of code. You can't verify that much code for vulnerabilities. Fdroid is probably the most successful at any sort of scale.