npm 2FA gated publishing Rolls Out to Thwart Supply‑Chain Attacks

npm 2FA gated publishing: a new shield for the software supply chain

GitHub has pushed the staged publishing feature into general availability, demanding that a maintainer confirm each release with a two‑factor authentication challenge before the package is visible to the public. This extra human check aims to block malicious actors from slipping compromised code into the npm ecosystem.

Key benefits include immediate revocation of unauthorized uploads and granular control over who can push updates. Maintainers can now set the policy at the package level, ensuring that every new version passes a verified gate.

“This is a game‑changer for protecting the integrity of open‑source ecosystems,” said a GitHub security engineer.

Early data suggest a ↓ 30% reduction in malicious package installations since the beta rollout. For broader industry reaction, see Reuters and Bloomberg.