Supply chain securitynpm freezes high-impact maintainer accounts for 72 hours after a sensitive change
npm now puts its 'high-impact' maintainer accounts into a 72-hour read-only state whenever it detects a sensitive account change like an email update or 2FA recovery code use. Publishing, tokens and team membership are frozen for the window; install and browse stay open.