Only 14% of previously compromised npm packages use modern security controls like Trusted Publishing.