This is a cultural problem created through a fundamental misunderstanding (and mis-application) of Unix philosophy. As far as I'm aware the Rust ecosystem doesn't have a problem appropriately sizing packages which in turn reduces the overall attack surface of dependencies.
This has nothing to do with package sizes. Cargo was just hit with a phishing campaign not too long ago, and does still use tokens for auth. NPM just has a wider surface area.
It's kinda funny because "Unix philosophy" was never a coherent thing in the first place. Arguably Plan 9 came the closest to that in practice, but, well, you might note it didn't exactly have a strong uptake. Unix itself is a pile of hacks though, and it's both sad and amusing to watch people trying to divine some kind of methodology out of that.
