I don't know, it seems like your SSH key could've been compromised the same way the npm publish token was obtained. So that would only protect those that do not use SSH (or GitHub, which luckily isn't required to publish an npm package) to push.

Perhaps. Though I find that the statistical odds of an ssh key being breached is smaller than spoofing web credentials, thought I could be wrong, my background is not in security. Just anecdotally I actually haven't met anyone that has had their SSH keys hacked/stolen/compromised but I know lots and lots of people, even smart people who use 2 factor for everything, have had something compromised (though I can vividly remember one case where it was 2 factor that saved the day from one of my co-workers having a very nasty identity theft problem. Remember folks, don't ever save a note in your email with your SSN and Drivers License)

an ssh key is just a file on your computer the same way they stole the ~/.npmrc file. They could just as easily steal your ~/.ssh/id_rsa private key.

Sure this is true. Though the audience of folks that would 1.know what an ssh key is and 2. Know how to generate one I would put better than average odds in on the ssh key not being compromised than any internet account particularly if it does not have 2fa enabled

This is why your SSH key has no business being in the filesystem and should instead be on a hardware token where all the crypto/signing operations happen on the HW token's chip.

That file is often encrypted with a password, so it's not that trivial.

Some variant on this idea would protect projects that have decent code review practices.