While token farmers flooded npm, other threat actors kept targeting open source to reach developer machines and wallets. The lesson is the same OSS registries are a live security surface and need protocol level defenses.
