Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ironically I started seeing a message in GitHub saying 2fa will be auto-enforced shortly. Wonder if that is a sign of similar for npm packaging?

Or wonder if GitHub is enforcing 2fa soon because of the NPM CVEs potential to harvest GitHub creds?



2FA is the first steps is stopping the onslaught.

But it still doesn't stop infected developer machines to silently update code and wait for the next release patiently.

It would require the diligence of those developers to check every line of code that goes out with a release... which is a lot to ask for someone who fell for a fishing email.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: