Any account with permission to upload packages to NPM should be required to have strong 2FA (TOTP or a hardware key of some sort or something equally secure), have session tokens that are linked to the browser/IP/device (to prevent session token theft) and maybe also require a 2FA auth before a file upload.
Although I am sure there are some who will say "that's not acceptable, we need to be able to automate things and 2FA gets in the way". Sorry but security against hackers is more important than being able to click "go" on some CI setup and have it automatically upload the new version with no human actions.