What about reviews and review certificates then?
If you review a the package foo@1.0 you could publicly certify that it is not malicious and maybe earn some money with it.
In turn, you back your claim with a financial security that you pay in case the package actually contains malicious code.
Thats a great idea - but in a centralized system like npm or cargo you don't need certificates to implement that. (Certs might be a nice implementation though.)
So yeah, there might be a "trusted security reviews with payments" shaped technical solution. I'd love to see someone flesh that out - that sounds like a potential solution to this problem (unlike developer-signed packages).
