This was a GitHub Actions hack, nothing related to publishing on npm was compromised.