> It seems like it might just be that Python/npm are juicier targets?
Attackers go where the victims are. Frontend is a monoculture with the vast majority using NPM; backend, less so. This isn't an excuse for NPM, but another strike against it.
You could also argue that the attacks make a deeper point about frontend vs backend devs, but I won't go there.
The fact that a package manager which keeps separate versions of each package for each dependency that it has became the accepted default that everyone in the frontend community uses as a foundation for their projects speaks to a lack of care or understanding within that community for technical matters.
Frontend has lower barrier of entry and more appeal for beginners, so its bell curve might have its left edge is thicker. It impacts the avg of problems and culture of dealing with them
More appeal I agree because it's easier to see useful results and iterate quicker. Lower barrier of entry I disagree with strongly; if the barrier to entry were so low I don't know why I've worked with so many otherwise-talented backend devs that can't wrap their heads around the frontend to save their lives. Frontend forces you to deal with real-world customer problems sooner rather than later; performance is more important, it has to work on more than one environment, you have a frame budget. It's like saying game development has a low barrier to entry; you might be able to get started quickly but you will run into constraints unless you learn fast. On the backend you can just pay another dollar for a VPS twice the size.
Attackers go where the victims are. Frontend is a monoculture with the vast majority using NPM; backend, less so. This isn't an excuse for NPM, but another strike against it.
You could also argue that the attacks make a deeper point about frontend vs backend devs, but I won't go there.