I'm a top 500 package maintainer apparently (I think for my work on ts-loader but I'm not certain).
This is great news. Some years ago an ethical hacker hacked me. I can still remember my shocked reaction upon being contacted by the hacker in question where I learned they now had the ability to publish malicious versions of npm packages on my behalf. This was long before supply chain attacks were well known and commonly discussed. A more innocent time.
The hacker in question gave me a simple piece of advice: turn 2FA on for your packages. Which I subsequently did. It's great that npm are pushing this. Yes it's a faff but the tradeoffs are net good. A little inconvenience is reasonable as compared to the alternative possibility.
I remain very grateful to the person who hacked me. If you should be out there: thanks - you did me a service
If you give your otp to a phishing site, it might not login again, but it can retain this session cookie for as long as it's valid and use it for access all that time.