Hmm, maybe npm needs to do the same thing the iPhone does now.

If you change your key you can't use it for like 12 hours or something?

Yes though in theory my public key would have been published elsewhere at least for verification. Valid point though, yes they would have been able to do that.

For this kind of infrastructure, some kind of real world verification may be necessary as well. Like having human ran phone verification (not AI, an actual call center) using information intentionally kept offline for securing more widespread and mission critical packages.

They can't pwn what they can't find online.

Push to many repos with a brand new key would (should) trigger red flags.

Good point. But how should the red flag materialize?