A supply chain attack would likely able to publish a "security" release just as easily as a normal release, so I don't think that would help much.