https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package

npm OIDC Trusted Publishing token-exchange endpoint abused for self-replication: mints a package-scoped automation token without stored credentials, then republishes trojanized versions.