Security is certainly low end in OSS specially in JS ecosystem, primarily because imposing strict set of standards on massive ecosystem is difficult when there is no powerful authority managing JS ecosystem.
For instance, take Apple or Google who manage and set the standards in their respective mobile ecosystem by introducing strict checklist of security measures on mobile Apps.
Assuming least/no damages done in the recent incident of npm library hack, I think people have now become cautious to include libraries written by unidentified source. They're now verifying it before directly hitting npm install ... which is a good thing IMO.
What could possibly be introduced is a concept of Certificates like we have for Websites. Some authorised source(probably by npm itself) should certify that a library is safe to use, of course, there would be a price for that but certainly makes an impact.