To protect your packages, as a package publisher, you can require everyone who has write access to a package to provide a one-time password in addition to their login token when they publish the package to the registry or modify package settings.
To publish or modify a package with the two factor authentication (2FA) setting enabled, a publisher must have 2FA enabled on their user account with "Authorization and Publishing" selected. For more information, see "How to use two-factor authentication".
Note: Currently, publishing a package with 2FA enabled on CI is not possible. For more secure CI publishing, enable 2FA on the npm account used for CI, and select "Authorization" only, and create a CIDR-restricted token for CI by following the steps in "Working with tokens".
© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.
https://docs.npmjs.com/getting-started/requiring-2fa-for-package-publishing-and-modification