I wouldn't mind a simple touch id (or password) requirement every time I run `npm publish` to help prevent such an attack.