Comment by ibejoeb

NPM needs some kind of attestation mechanism. There needs to be an independent third party that that has the fingerprint, and then npm must verify it before a change is published. It could even be just DNS or well-known URI that, if changed, triggers lockdown. Then, even in the case of a successful compromise of an NPM account or source control, whether via phishing like the last one or token exfiltration like this one, it will remain unpublished.