> Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline.

Doesn’t npm mandate 2FA as of some time last year? How was that bypassed?

▲

bakugo 16 hours ago | parent [-]

Apparently it's possible to create access tokens that bypass 2FA. Might've been this.

https://docs.npmjs.com/creating-and-viewing-access-tokens

▲

stingraycharles 16 hours ago | parent [-]

Correct, for CI/CD systems that want to push releases.

	▲	masklinn 15 hours ago \| parent [-]
		If GitHub, gitlab, or circleci, trusted publishing is available. No access token whatsoever.