Yeah, NPM should be enforcing 2FA and likely phishing resistant 2FA for some packages/ this should be a real control, issuing public audit events for email address changes, and publish events should include information how it was published (trusted publishing, manual publish, etc).

▲

erikerikson 2 hours ago | parent [-]

Instead they took away TOTP as a factor.

Scaling security with the popularity of a repo does seem like a good idea.

	▲	mayhemducks 38 minutes ago \| parent \| next [-]
		Are there downsides to doing this? This was my first thought - though I also recognize that first thoughts are often naive.
	▲	moebrowne 19 minutes ago \| parent \| prev [-]
		TOTP isn't phishing resistant