Very amateur. Who would fall that, really? I can only suspect npm people who are used to unprofessional repo hosting practices.

Such a Two Factor Authentication update request would have needed a blog post first, to announce such a fishy request.