Given the recent incidence regarding eslint-scope, it is pretty obvious and necessary to me that certain security measure must be added to npm.
A very simple idea would be to mark all npm packages that uses network access, and provide warning to user if the previous version of packages does not require that access.
The implementation should be fairly straight-forward by analyzing existing npm dependency graphql, and check for the use of certain broswer globals and node network packages. The nature of such problems makes it necessary for it to be done within the npm package and/or repository.
Given the way how malicious software works, it is most sensitive to most people if their private data got stolen, given that it can not be undone.