As package registries find better ways to combat cyberattacks, threat actors are finding other methods for spreading their malware to developers.