Supply Chain Attack
npm Makes Staged Publishing Generally Available — a 2FA-Gated Step Now Guards the Registry
GitHub has made npm staged publishing generally available. A direct publish no longer ships a package; the tarball waits in a stage queue until a maintainer passes a 2FA challenge to approve it. It is the first ecosystem-level structural answer to the 2026 supply-chain wave.