[paradite]

I have 2FA for my npm account, does 2FA prevent this kind of attack?

[dstick]

I’d say so. You can’t reset an account’s password without the second factor. There’d be very little point to it otherwise.

[raesene9]

Often the problem with MFA setups is, what's the fallback mechanism for when the user loses their password+MFA token, none of the options are perfect.

1) Permanently lock them out of their account. Not a good customer experience and problematic in this setup (orphaned libraries)

2) Written "back-up codes", fine in theory but I'd guess a decent proportion of them are not well managed

3) Fall-back to manual verification (e.g. phone call establishing secondary information). Expensive and error prone.