alt Hacker NewsIt’s far from a complete solution, but to mitigate this specific avenue of supply chain compromise, couldn’t Github/npm issue single-purpose physical hardware tokens and allow projects (or even mandate, for the most popular ones) maintainers use these hardware tokens as a form of 2FA?
What would a physical token give you that totp doesn't?
Edit: wait, did the attacker intercept the totp code as it was entered? Trying to make sense of the thread