alt Hacker NewsMaven Central verifies the domain used for the package namespace, too. You need to create a DNS TXT entry with a key.
This adds a bit more overhead to typo squatting, and a paper trail, since a domain registrar can have identity/billing information subpoenaed. Versus changing a config file and running a publish command...
Maven central also requires package signing. You're not stealing my signing key. It's on a yubikey. Game over, you can't publish malware in my name using my key.