[jml78]

You forgot to mention it is also tied to provable namespaces. People keep saying that NPM is just the biggest target...

Hate to break it to you but from targeting enterprises, java maven artifacts would be a MASSIVE target. It is just harder to compromise because NPM is such shit.

[redwall_hp]

Maven Central verifies the domain used for the package namespace, too. You need to create a DNS TXT entry with a key.

This adds a bit more overhead to typo squatting, and a paper trail, since a domain registrar can have identity/billing information subpoenaed. Versus changing a config file and running a publish command...

[panny]

Maven central also requires package signing. You're not stealing my signing key. It's on a yubikey. Game over, you can't publish malware in my name using my key.