The number is incredibly low and a major issue of concern for the npm security team, who'd like to see this figure grow in the coming year.
This has made npm a prime target for supply-chain attacks, scenarios where hackers breach a developer's npm account in order to insert malicious code inside their libraries. Such incidents have happened in the past years, including 2019.
June 2019 - a hacker backedoored the electron-native-notify library to insert malicious code that reached the Agama cryptocurrency wallet.
November 2018 - a hacker backdoored the event-stream npm package to load malicious code inside the BitPay Copay desktop and mobile wallet apps, and steal cryptocurrency.
July 2018 - a hacker compromised the ESLint library with malicious code that was designed to steal the npm credentials of other developers.
May 2018 - a hacker tried to hide a backdoor in a popular npm package named getcookies.
Academic research published last year showed that most of the npm packages are intertwined with one another, and that hacking 20 high-profile developer accounts could allow a threat actor to plant malicious code that gets used by half of the entire npm ecosystem.
As such, securing the accounts of npm library owners should be a top priority going forward.
The 9.27% figure is pretty low, and the npm team should take a page out of Mozilla's book, the company behind the Firefox browser.