npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
GitHub announced the general availability of staged publishing for npm, a feature designed to bolster software supply chain security. Staged publishing requires that a human maintainer explicitly approve a release by passing a two-factor authentication (2FA) challenge before the package becomes publicly available for installation. This mechanism prevents automated or compromised accounts from pushing malicious updates without human oversight. The feature is now available to all npm maintainers, adding an extra layer of verification to the publishing process. By mandating 2FA-gated approvals, npm aims to mitigate supply chain attacks that have historically exploited weak account security or automated publishing workflows. The rollout follows increasing industry focus on securing package registries, with similar measures adopted by other ecosystems. Maintainers can enable staged publishing in their package settings, and it is expected to become a standard practice for critical packages.
Staged publishing with 2FA reduces the risk of supply chain attacks via compromised npm accounts.