npm has implemented a notable authentication overhaul aimed at reducing supply-chain attacks in the JavaScript ecosystem, but security practitioners warn it’s not a silver bullet.

## What changed

Following high-profile incidents, npm:

- Revoked **classic (long-lived) tokens** and moved interactive workflows toward **short-lived session tokens**

- Encouraged **OIDC Trusted Publishing**, where CI jobs obtain ephemeral, per-run credentials instead of storing secrets

These shifts are meaningful because stolen credentials expire quickly and can require MFA for sensitive actions.

## What risks remain

The analysis highlights two key issues:

1) **MFA-phishing still works.** If an attacker tricks a maintainer into sharing login + one-time code, a short-lived token may still be enough time to publish malware.

2) **MFA on publish can be optional.** Token settings that bypass MFA (and can last ~90 days) can recreate old problems if console access is compromised.

## Why this matters for web developers

Node projects routinely depend on deep dependency trees. Any compromise of a popular package can cascade quickly into downstream builds and production deployments.

## Practical takeaways

- Prefer OIDC-based trusted publishing for CI.

- Treat token bypass settings as high risk; avoid long-lived publish-capable tokens.

- Add release verification and monitoring (e.g., lockfiles, provenance signals where available).

The broader message: authentication defaults are improving, but developer teams should assume *some* supply-chain risk persists and build layered defenses.