npm Launches Staged Publishing with 2FA Gating to Counter Supply Chain Attacks

GitHub has made “staged publishing” generally available on npm, requiring a human maintainer to pass a 2FA challenge before a release becomes publicly installable. The update also adds package install controls, giving maintainers explicit approval over which versions can be consumed downstream.

The controls directly target account-takeover-based supply chain attacks — a recurring threat in the npm ecosystem. Package maintainers with broad downstream consumers should enable staged publishing now; it raises the cost of automated or hijacked publishing pipeline attacks meaningfully.