[stubish]

Quoting: "I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so"

A Python package in use enough to be flagged 'critical' could be earning a few hundred US dollars per month through Tidelift if the maintainers sign up. Which should more than compensate the 2FA overheads.

[rurban]

Does this really work? I assume only for popular JS, python or ruby packages, right?

[stubish]

I assume it needs to be popular, yes. I've assuming 'left-pad like' means popular, and may vastly overstating. I've been paid monthly for over a year now, but my package was top-20 by download count when that started.