npm is implementing a staged publishing model to add a review step before packages go live, following a series of supply chain attacks in 2025. This change aims to give maintainers a chance to catch malicious or unintended changes before they are published. The new process requires multi-factor authentication for approval during the staging period.