MerospitSecurity hot take: When a build tool (NPM/Cargo/Maven/etc) tries to download a known compromised version of a package, the repository should send the build a status code that breaks the build on the client side.
Business process interruptions should not be prioritised ahead of integrity and confidentiality.