Comment by koolba
25 days ago
> Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline.
Doesn’t npm mandate 2FA as of some time last year? How was that bypassed?
Apparently it's possible to create access tokens that bypass 2FA. Might've been this.
https://docs.npmjs.com/creating-and-viewing-access-tokens
Correct, for CI/CD systems that want to push releases.
If GitHub, gitlab, or circleci, trusted publishing is available. No access token whatsoever.