I created NPM account today and added passkey from my laptop and hardware key as secondary. As I have it configured it asked my for it while publishing my test package.
So the guy either had TOTP or just the pw.
Seems like should be easy to implement enforcement.
Crucially, it would have to be set up so they need to use the hardware key when pushing any changes. Just requiring a hardware key as a login method does nothing to protect against token stealing, which I believe is the most common form of supply chain attack right now.
ozim|5 months ago
They have it implemented.
I created NPM account today and added passkey from my laptop and hardware key as secondary. As I have it configured it asked my for it while publishing my test package.
So the guy either had TOTP or just the pw.
Seems like should be easy to implement enforcement.
winkelmann|5 months ago