Hosting code with automated publishing into well known namespaces is looking more and more like a broken model. A better approach is human verification of package names like in #Debian, @fdroidorg, #MavenCentral. Then other pieces can be safely automated https://www.bleepingcomputer.com/news/security/critical-cloudflare-cdn-flaw-allowed-compromise-of-12-percent-of-all-sites/