In a case like this, the package maintainer's account itself has been hacked, so I'm not sure if that would be meaningful.

The only solution would be to prevent all releases from being applied immediately.

▲

dherls 4 days ago | parent | next [-]

A solution could be enforcing hardware keys for 2FA for all maintainers if a package has more than XX thousand weekly downloads.

No hardware keys, no new releases.

	▲	ozim 3 days ago \| parent \| next [-]
		Passkeys - no need for hardware key. They have it implemented. I created NPM account today and added passkey from my laptop and hardware key as secondary. As I have it configured it asked my for it while publishing my test package. So the guy either had TOTP or just the pw. Seems like should be easy to implement enforcement.
	▲	winkelmann 3 days ago \| parent \| prev [-]
		Crucially, it would have to be set up so they need to use the hardware key when pushing any changes. Just requiring a hardware key as a login method does nothing to protect against token stealing, which I believe is the most common form of supply chain attack right now.

▲

dsff3f3f3f 4 days ago | parent | prev [-]

There needs to be a massive push from the larger important packages to eliminate these idiotic transitive dependencies. Core infrastructure shouldn't rely on trivial packages maintained by a single random person from who knows where that can push updates without review. It's absolutely insane.