I believe they have already stated that it was password reuse on other, compromised sites. **
It is possible that 2FA was compromised (and they chose to omit this), but doubtful. Beyond that, I don't think it's relevant - 2FA is already "the solution" to password compromise, and it's chosen by many, many companies.
I'm going to update my first post with something a bit more formal.
**
The maintainer whose account was compromised had reused their npm password on several other sites and did not have two-factor authentication enabled on their npm account.