for every node package, see what node packages are 3 or less levenshtein distance away when it's uploaded, and go through all existing packages. Add an optional flag that will, if you try to install a package that has a package within that edit distance that is an order of magnitude more popular, give you warning and skip that package, an optional flag that errors, and a way to force it for a specific package. In the future, make the first optional flag the default, so people get warnings with instructions to override. Allow white listing of particular packages that may be problematic, and expect a shared white list Then, a year later after repeated warnings of the coming nodepocalypse, make the second optional flag the default, so if you haven't white listed or explicitly forced installing such a package, it will fail.
You will, of course break production for a few people who just didn't listen.
Alternatively, instead of edit distance, allow users to report problematic packages and do a similar thing. Do not provide a explicit award to users who report, so nobody would create fake malware just to report it.
In both cases, either implicitly or explicitly you are using the wisdom of the crowd to figure out the bad packages.
You will, of course break production for a few people who just didn't listen.
Alternatively, instead of edit distance, allow users to report problematic packages and do a similar thing. Do not provide a explicit award to users who report, so nobody would create fake malware just to report it.
In both cases, either implicitly or explicitly you are using the wisdom of the crowd to figure out the bad packages.