A sprawling npm supply-chain incident shows how a single publishing path can ripple through developer tooling, while provenance metadata may look reassuring even when it is part of the problem.