johnny_reilly

I'm a top 500 package maintainer apparently (I think for my work on ts-loader but I'm not certain).

This is great news. Some years ago an ethical hacker hacked me. I can still remember my shocked reaction upon being contacted by the hacker in question where I learned they now had the ability to publish malicious versions of npm packages on my behalf. This was long before supply chain attacks were well known and commonly discussed. A more innocent time.

The hacker in question gave me a simple piece of advice: turn 2FA on for your packages. Which I subsequently did. It's great that npm are pushing this. Yes it's a faff but the tradeoffs are net good. A little inconvenience is reasonable as compared to the alternative possibility.

I remain very grateful to the person who hacked me. If you should be out there: thanks - you did me a service

GoblinSlayer

If you give your otp to a phishing site, it might not login again, but it can retain this session cookie for as long as it's valid and use it for access all that time.

Jnr
On https://github.com/settings/security you can revoke other sessions.