I'm not sure how I feel about Passkeys/WebAuthn yet. But as far as I understand the current npm situation with compromised packages could have been prevented with phishing resistant 2FA. Combined with trusted publishing [1] this should be a lot harder for malicious actors – at least for this attack vector.