flat namespace is type squatting friendly.
The predominantly used flat NPM namespace aggravates this problem.
In fact NPM allows a two level namespace <account name>/<package name>
but that is rarely enough used that using it, without also ensuring the rhs <package name>
is unused and claiming it, would be an invitation for a hacker to do so. Therefore,
most developers won't bother with the account name.
IMO - what NPM should do at a minimum is to require all new packages to include the <account name> component.
NPM might also require a two or three character distance difference between any new account and any existing one.