npm rolled out major authentication changes in late 2025 intended to reduce account-takeover driven supply-chain incidents. A new analysis argues that while it’s progress, it’s not the end of the story.

## What changed

- Classic npm tokens were revoked.

- Interactive workflows now use short-lived session tokens (typically ~2 hours), obtained via login.

- npm encourages OIDC trusted publishing so CI can mint short-lived, per-run credentials rather than store long-lived secrets.

## What still worries defenders

- MFA phishing can still compromise short-lived sessions long enough to publish malware.

- MFA-on-publish is still optional, and some token configurations can effectively bypass MFA for extended periods (e.g., 90-day tokens).

## Why this matters

The security of the JavaScript ecosystem is disproportionately impacted by compromised maintainer accounts. Even short-lived credentials are enough for an attacker to push a malicious release, and downstream users may auto-update into compromise.

## Recommendations discussed

- Make OIDC the long-term standard for publishing.

- Enforce MFA for local uploads and remove MFA-bypass token options.

- Add package release metadata that helps consumers assess maintainer security posture.