Our plan for a more secure npm supply chain

GitHub describes a high-impact npm supply-chain incident (the "Shai-Hulud" worm) that propagated via compromised maintainer accounts by injecting malicious post-install scripts into popular packages, could steal multiple types of secrets, and led to the removal of 500+ compromised packages; GitHub also details mitigations taken (blocking IoCs) and a roadmap of security hardening measures including FIDO-based 2FA, short-lived granular tokens, and trusted publishing to prevent future token abuse and self-replicating malware.