npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

npm has introduced staged publishing, a new feature designed to combat supply chain attacks by requiring package maintainers to authenticate with two-factor authentication (2FA) before releasing new versions to the public registry. The feature is now generally available.

Staged publishing creates a buffer between code submission and public availability. When a maintainer initiates a release, the package enters a pending state rather than immediately becoming installable. A separate 2FA-authenticated approval step must occur before npm publishes the package to the public registry and makes it available for download.

This addresses a critical attack vector in open source software. Compromised maintainer accounts or CI/CD pipelines can automatically push malicious code without human verification. Several high-profile supply chain incidents, including attacks on popular packages like ua-parser-js and colors.js, exploited exactly this weakness. Attackers gained access to credentials and released poisoned versions without requiring additional authentication.

The two-factor requirement forces attackers to clear an additional hurdle. Even with stolen credentials, they cannot publish without the maintainer's second authentication factor. This prevents fully automated attacks that rely on credential theft alone.

npm also introduced granular package install controls that allow maintainers to restrict who can download specific versions or packages. This reduces the blast radius if a malicious version does slip through. Organizations can prevent users from installing affected versions while patched releases roll out.

The controls apply at the package level, giving maintainers flexibility to enable staged publishing selectively. Not all packages face identical risk profiles. High-dependency packages used by millions of developers face greater supply chain risk than niche libraries.

These controls represent a shift toward human-in-the-loop security for package distribution. Automation accelerates development, but the npm ecosystem learned that some decisions require explicit human verification. The addition of 2FA-gated publishing and version controls strengthens defenses for developers and the organizations depending