How is it a smart move? Here, Microsoft is training users to ignore a security warning. If the same mechanism were added to NPM (that is, a warning that the package is suspicious and for the user to be extra sure they want it), users would have been trained to ignore any security warning issued for the compromised axios version (just like they had ignored it for all previous "clean" versions) and installed it anyway.
It has certainly had that effect on me. When I heard that notepad++ was being flagged for something somewhere by someone, all I thought was "so they forgot to pay a protection fee?" Genuinely I thought it was being brought it up just as an indication that the developer may be absent or asleep at the wheel. There is literally no association in my brain between one of these warnings and the concept of software being compromised or not.
And I've seen other less tech inclined people click right through these without a moment's thought. They think it's just one of those things computers have to complain about.
The relevant heuristic in NPM supply-chain compromises would be the age of the specific binary. i.e. a freshly released package is riskier than one that's been around for a few days. So perhaps the policy should be that NPM doesn't install new package versions unless they've been public for 24 hours, or there's a signed override from the package repository itself stating that the update fixes a security issue. Of course, that would also require the NPM team have a separate review process for signing urgent security fixes.