[magackame]

Huh? But there are integrity checks (none in htmx case, which is strange), to prevent exactly this attack.

[trimethylpurine]

I'm not sure I follow. How does an integrity check help when the source is compromised? The developer doesn't know that their repo is compromised. They continue posting legitimate hashes because the repo is legitimately compromised.