compartmentalize. I do development and anything finance / crypto related / sensitive on separate machines.

If you're brave you can run whonix.

The issue is developers who have publish access to popular packages - they really should be publishing and signing on a separate machine / environment.

Same with not doing any personal work on corporate machines (and having strict corp policy - vercel were weak here).