RPKI addresses both.
Route Origin Authorizations (ROAs) enforce which ASes are allowed to originate a prefix. ROAs address origin hijacks, and have been around for longer.
Autonomous System Provider Authorizations (ASPAs) enforce which ASes are allowed to be adjacent to each other in an AS_PATH. ASPAs address path hijacks, and were introduced more recently. It used to be that you had to self-host (as in the article) in order to publish ASPAs, but RIRs are now starting to support them on their hosted RPKI offerings. I'm surprised the article didn't mention this as a reason to run your own RPKI.
If the first hop publishes a ROA, and all subsequent hops publish an ASPA, then the full path can be validated.
Also note that ASPA validation prevents only hijack by peers and customers, not by providers. Due to way how ASPA validation works, providers could always announce to their customers routes with valid-looking AS PATH with hijacked ASN appended at its end.
Note that the first hop has to publish both ROA and ASPA records, as ASPA records describes a set of valid providers.
That makes sense, thanks!
What's the history and status of ASPA? As far as I can see, it's a fairly active draft with the IETF: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-ver...
It says it's on the standards track, but it's clearly quite new. How well has it been proven out? This page from Hurricane Electric shows <3% adoption: https://bgp.he.net/report/rpki_and_aspa