There's no silver bullet, but getting an exploit into xz took extraordinary effort, a long time, and bespoke code, because it needed to slip under the radar of actual humans reading the code. A shai hulud-style attack won't work with any reasonable Linux distro, like it does with npm.

but it was caught with the existing release model, where first it goes to testing where many people before reaching the production systems in the stable release. for example debian