Supply chain npm vs PyPI: I compared both simulations and the most dangerous vector isn't what everyone thinks

I ran supply chain attack simulations on npm and PyPI separately. When I put them side by side, the pattern that emerged made me uncomfortable: the ecosystem everyone watches isn't the most vulnerable one. Here's the cross-meta-analysis with real numbers.