But they have many developers. And one developer could insert code which works and passes tests, but in Background start someday a download and start monero mining.
The point is: you have to trust the developers at this companies, that they not do anything bad and that the companies check every code of every dev. Trust.
npm (and i think the other repos too) implement more and more security tools and procedures to reduce the risk. But 100% security is impossible.