GitHub is finally tightening up security around npm following multiple attacks

GitHub is strengthening npm security after recent attacks, including the Shai-Hulud worm that led to over 500 compromised packages. Changes include enforcing FIDO-based 2FA, deprecating legacy tokens, implementing seven-day expiration for granular tokens, and expanding Trusted Publishing. These measures aim to protect the open source ecosystem, which is vulnerable to supply-chain attacks, while GitHub promises gradual implementation with support resources to minimize disruption.