IN December 2025, npm overhauled its authentication in response to the Sha1-Hulud incident, revoking classic tokens and moving to session-based credentials to curb supply-chain abuse. The changes include short-lived tokens, typically two hours, and a default MFA requirement for publishing, with an emphasis on per-run credentials via OIDC Trusted Publishing.
While the overhaul strengthens protections, the article notes that npm projects are not immune to supply-chain attacks, and MFA on publish remains optional in some cases, leaving potential attack surfaces intact. It also highlights past incidents such as MFA phishing aimed at npm’s console, which could still enable attackers to obtain both login details and one-time passwords.
The piece argues that enforcing MFA more broadly, particularly for local uploads, would further reduce the blast radius of compromised accounts. Finally, it cites Chainguard’s approach as an example of building from verifiable upstream sources to minimise reliance on published artifacts.