Recent attacks against maintainers of popular open-source dependencies have shown than even seasoned developers are vulnerable to sophisticated phishing attacks. The only real defense is to use phishing-resistant MFA, like the Allthenticator.