It will only get much worse because popular AI coding harness (OpenCode/KiloCode) will just download random npm packages in the background without you knowing. And the devs don't care.
Setting min age is useless if everyone is doing it. The whole point of setting min age is make someone else take the bait before you.
It isn't useless. Security researchers are the ones catching a lot of these and they will certainly not wait 3 days to inspect a package.