As a PyPI package maintainer, you've noticed that something strange is happening. Packages are being published using your name, but you know you didn't publish them. After some investigation, you discover that your account has been hacked, and the hacker is using a new 'trusted publishing' method that doesn't require passwords. Can you track down the hacker and clear your name before it's too late?