I guess that the only solution for malicious packages problem would be to have someone review the code. As there's lot of code and reviewing takes time, this has to be a paid service - for a pay you get access to a "safe" repository.

I am not sure if it could be viable business model though. People who use open source got used that it is free and are unlikely to pay.