Self-Propagation via Trusted Publishing Worm

Pushes oidc-<hex> branches that rewrite the trusted CI workflow, exchanges OIDC for npm publish tokens, repackages legit tarballs with a malicious preinstall, re-signs via Sigstore (Fulcio/Rekor), and republishes with valid provenance.