Fair points — this isn’t a preventative control and it doesn’t “lock down” your CI. If an attacker has your NPM token, you’ve already been pwned.
The goal is to stop the spread. This will quickly unpublish a library and alert you, so no one else is downloading the compomised package, like what happened with posthog.
The goal is to stop the spread. This will quickly unpublish a library and alert you, so no one else is downloading the compomised package, like what happened with posthog.