> - MFA for publishing: https://docs.npmjs.com/requiring-2fa-for-package-publishing-...
> - trusted publishers, available for about a year: https://docs.npmjs.com/trusted-publishers
According to [1] "All affected packages were published via GitHub Actions OIDC from the RedHatInsights/javascript-clients repository, indicating the upstream CI/CD pipeline itself was compromised."
So the malicious package would have gotten the happy little green star, with users assured it was "Built and signed with provenance."