[fortuitous-frog]

No. axios (v1 at least; not v0) were setup to publish via OIDC, but there's no option on npmjs for package maintainers to restrict their package to *only* using OIDC. The maintainer says his machine was infected via RAT, so if he was using software-based 2FA, nothing could have prevented this.

[dgellow]

Actually there is an option to restrict to only OIDC publishing. It is a bit hidden and relies on a different form for reasons I really cannot understand. Npm UX is just so bad.

Point 4 from https://npmdigest.com/guides/npm-trusted-publishing#ux-probl...

(I wrote that guide page for myself because I always get annoyed when dealing with npm OIDC)