The number is incredibly low and a major issue of concern for the npm security team, who'd like to see this figure grow in the coming year.
This has made npm a prime target for supply-chain attacks, scenarios where hackers breach a developer's npm account in order to insert malicious code inside their libraries. Such incidents have happened in the past years, including 2019.
Academic research published last year showed that most of the npm packages are intertwined with one another, and that hacking 20 high-profile developer accounts could allow a threat actor to plant malicious code that gets used by half of the entire npm ecosystem.
As such, securing the accounts of npm library owners should be a top priority going forward.
The 9.27% figure is pretty low, and the npm team should take a page out of Mozilla's book, the company behind the Firefox browser.
Last month, Mozilla announced that starting with January 2020, all developers of Firefox browser extensions must enable 2FA for their accounts in order to update their extensions going forward.
Other security-related stats from the npm security team [source]: