This would be cool, but there would still need to be an operator of the npm or PyPI account. That account would probably sign up and verify itself with a combination of email and maybe text message or some other 2FA.
Another basic prerequisite to truly decentralizing this kind of account ownership might be for ICP to support SMTP.
See here for some discussion on email/SMTP support: Email/ smtp support to canisters - #2 by w3tester