Publishing a Maven package is also excruciatingly complicated. By contrast, NPM is actually too easy. I suspect that we see fewer supply chain attacks in the Java ecosystem because attackers are like “you know what.. never mind.”