This is a very confusing or incomplete description. If I understand correctly, this is not just the Object prototype pollution problem, which has been known for ever. Saying it is an object prototype pollution problem is misleading.
Rather (reading between the lines) it is miscommunication/misdirection, stuffing admittedly bad information into Object that is then looked at by other software. That software is not verifying that the information came from the expected place, package.json say, but picking it up from the Object prototype.
Oh dear, does reading JSON not use a clean Object.create(null)
object?
Anyway, the helpful notes in the NPM package situation mentioned would be - here are all the parameters you must fill in in package.json or else some software may be pulling answers out of a hat.