npm ships 2FA-gated "staged publishing" GA — platform-governance response to the worm waves

GitHub announced on 2026-05-22 that npm staged publishing is now Generally Available: a maintainer runs npm stage publish to create a staged release that must be explicitly promoted under 2FA before it becomes installable, alongside new install-time controls. This is the registry-level governance answer to the Shai-Hulud/Megalodon waves (§ 2) — the OIDC-token-reuse propagation primitive that made those worms self-spreading is blunted when an automated npm publish cannot reach end users without an interactive 2FA promotion step. Defender takeaway: where you operate internal npm publishing pipelines, adopt staged publishing and require the 2FA promotion gate; it does not retroactively clean compromised packages but it raises the cost of the next worm's propagation step.