Post #8408

npm killed long-lived tokens after the Sha1-Hulud attack, shifting to short-lived sessions and MFA by default. Security improved — but MFA phishing and optional publish protections still leave gaps. Console access can still mean package compromise. 🔗 Where the new model still fails → https://thehackernews.com/2026/02/npms-update-to-harden-their-supply.html