"GitHub has introduced 'staged publishing' for npm to prevent the distribution of compromised packages. Maintainers must now explicitly approve staged packages via 2FA before they become public. This aims to harden the software supply chain against malicious account takeovers."