Comment by serial_dev

It could have eliminated an attack surface where they steal the credentials from the CI/CD...

...But then you if I understand NPM publishing well, you would still have the credentials on someone's computer laying around? I guess you could always revoke the tokens after publishing? It's all balancing convenience and security, with some options being bad at both?