Will npm's new security steps stop attacks?

After ReversingLabs discovered the Shai-hulud self-replicating worm that compromised hundreds of npm packages and resulted in millions of downloads, GitHub announced stricter npm publishing controls — mandatory 2FA for local publishes, seven-day token lifetimes, promotion of OIDC-based trusted publishing from CI, and deprecation of legacy auth. The article explains these mitigations, notes they reduce but do not eliminate supply-chain risk (e.g., malicious maintainers, token misconfiguration, privileged CI tokens), and calls for broader application security practices, provenance, anomaly detection, and better funding/support for open-source maintainers.