In recent months, the npm registry has been targeted by advanced supply-chain attacks that leveraged compromised maintainer credentials to inject malicious code into widely used JavaScript packages.
In response, GitHub is rolling out a comprehensive set of security enhancements, including mandatory two-factor authentication, short-lived granular tokens, and expanded trusted publishing to safeguard the integrity of the npm ecosystem and restore confidence across the open source community.
Maintainers and GitHub security teams detected the “Shai-Hulud” worm: a self-replicating malicious script embedded in post-install hooks of popular npm packages.
This worm not only propagated automatically but also exfiltrated secrets beyond npm tokens—threatening continuous, undetected compromise of developer systems.
Swift collaboration between GitHub and package maintainers led to the removal of over 500 infected packages, and automated defenses in npm blocked uploads containing known indicators of compromise.
While these measures disrupted the worm’s spread, the incident underscored an urgent need to elevate authentication and publishing controls across the registry.
To prevent future token abuse and malware injection, GitHub will soon require local publishes to npm to enforce two-factor authentication (2FA) using WebAuthn (FIDO-based) in place of legacy time-based one-time passwords.
Classic access tokens will be deprecated in favor of granular tokens with a maximum seven-day lifespan and scoped permissions.
Publishing access by default will disallow all token-based uploads, steering maintainers toward trusted publishing methods or 2FA-backed local workflows.
Additionally, the option to bypass 2FA for local package publication will be eliminated, and trusted publisher eligibility will expand to more identity providers.
These changes will be phased in gradually, with detailed migration guides, clear timelines, and hands-on support to minimize disruption for maintainers.
Trusted publishing championed by the OpenSSF Securing Software Repositories Working Group removes API tokens from build pipelines entirely by leveraging short-lived OpenID Connect credentials tied to CI providers.
Introduced by PyPI in April 2023 and later adopted by RubyGems, crates.io, and most recently NuGet, this model ensures that package uploads originate from authenticated, pre-approved workflows rather than persistent tokens stored in CI environments.
npm’s implementation, now generally available, is a pivotal step toward eliminating a primary attack vector in modern DevOps pipelines.
Maintainers can accelerate their defense by opting into trusted publishing today and enforcing strict 2FA settings on accounts, organizations, and individual packages.
When configuring 2FA, developers should transition to WebAuthn hardware or platform authenticators rather than TOTP to eliminate risks associated with one-time password interception.
By adopting these robust security practices, the open source community can collectively neutralize evolving threats and build a more resilient software supply chain for all.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
The post GitHub Boosts npm Security with Stronger Authentication and Trusted Publishing appeared first on Cyber Security News.
Unstoppable is the latest entry in the Renegade Game Studios' lineup of Solo Hero Series…
Several individuals and families in the Machesney Park area have retained attorneys for a potential…
A North Korean threat group known as UNC1069 has been running a sophisticated campaign that…
DEKALB COUNTY, Ind. (WOWO) — A 30-year-old man from Columbia City was killed Monday morning…
MARION COUNTY, Ind. (WOWO) — Indiana Conservation Officers are investigating after a woman’s body was…
U.S. Agriculture Secretary Brooke Rollins, speaking at a Future Farmers of America event Aug. 18,…
This website uses cookies.