GutHub has expanded the NPM repo's enforcement of mandatory two-factor authentication, which will now apply to developer accounts that maintain packages that have more than 1 million downloads per week or are used as a dependency on more than 500 packages. Previously, two-factor authentication was required only for the maintainers of the top 500 most popular NPM packages (based on the number of dependent packages).
Maintainers of value packages will now only be able to perform change-related operations on the repository after enabling two-factor authentication, which requires proof of entry using one-time passwords (TOTP) generated by applications such as Authy, Google Authenticator, and FreeOTP, or hardware keys and biometric scanners that support webauth protocol.
Source: opennet.ru