alt Hacker NewsYeah, NPM should be enforcing 2FA and likely phishing resistant 2FA for some packages/ this should be a real control, issuing public audit events for email address changes, and publish events should include information how it was published (trusted publishing, manual publish, etc).
Instead they took away TOTP as a factor.
Scaling security with the popularity of a repo does seem like a good idea.