[robshippr]

The interesting detail from this thread is that every legitimate v1 release had OIDC provenance attestations and the malicious one didn't, but nobody checks. Even simpler, if you're diffing your lockfile between deploys, a brand new dependency appearing in a patch release is a pretty obvious red flag.

[GCUMstlyHarmls]

To be honest, I would have assumed the tooling would do attestation verification for me. The diffing the lockfile would be on me though.