Trusted Token

You are a PyPI package maintainer who adopts the new Trusted publishing method. Everything seems perfect until one day, a package that you did not publish appears on PyPI, and it is being used to hack a government server. You must get to the bottom of this conspiracy and clear your name before it's too late.