npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

npm has introduced 2FA-gated publishing and package install controls to prevent supply chain attacks, requiring human maintainers to approve releases via 2FA challenge. This affects npm package maintainers and users. The attack vector is unauthorized package installation.

1. npm has implemented 2FA-gated publishing to require human approval for package releases.
2. This affects npm package maintainers and users, particularly those using unverified packages.
3. The attack chain involves unauthorized package installation, which can be prevented with 2FA-gated publishing.
4. Detection opportunities include monitoring package installation attempts and verifying package authenticity.

TA0002: Tactic - Execution, Technique - Command and Control

npm package maintainers should enable 2FA-gated publishing to prevent unauthorized package installation. Users should verify package authenticity before installation.