Three npm supply-chain attacks hit in four weeks. None of them needed a stolen password.
Three unrelated npm attacks in May and June 2026 used three different techniques. All three got past 2FA and OIDC Trusted Publishing by skipping the registry account and going straight for the CI runner.
By FlowVerify Editorial Team