It is not package managers. It is due to the poor NPM ecosystem: lots of crappy packages (like left-pad), auto updates, lots of dependencies, post install scripts, insecure language.

These security problems happen much less often in other ecosystems. There is nothing even remotely as bad as NPM.