The Hacker News reports on npm’s efforts to reduce supply-chain attacks by changing how publishing credentials work — and what gaps still remain.

## What changed

In response to supply-chain incidents, npm:

- **Revoked classic tokens** and moved toward **short-lived session tokens** for interactive workflows.

- Encouraged **OIDC Trusted Publishing**, where CI jobs obtain per-run credentials rather than storing long-lived secrets.

These moves reduce the window of opportunity if a token is stolen, and help align publishing with stronger identity controls.

## What still worries defenders

The article emphasizes two persistent issues:

1. **MFA phishing can still work**: even short-lived credentials can be enough time to publish a malicious release if an attacker obtains them.

2. **MFA on publish can be optional**: maintainers may still create long-duration tokens that bypass MFA, which recreates the old risk profile.

## Why this matters to web developers

JavaScript ecosystems depend heavily on transitive dependencies. A compromised maintainer account can quickly ripple through CI pipelines and production deployments.

## Recommended actions (practical)

- Enable **MFA on publish** wherever possible.

- Prefer **OIDC trusted publishing** over storing npm tokens in CI.

- Audit who can publish, rotate credentials, and monitor package releases for anomalous publishes.

Source: The Hacker News (see link below).