After major npm attack: Github tightens security measures
After the Shai Hulud worm, GitHub tightens npm security: 2FA becomes mandatory, tokens are limited and trusted publishing is expanded.
(Image: Sundry Photography/Shutterstock.com)
GitHub has unveiled a comprehensive plan to improve npm (Node Package Manager) security. The measures are a direct response to the major npm attack in mid-September, in which self-replicating malware infected dozens of JavaScript packages via compromised maintainer accounts.
As GitHub announced in a blog post, only three authentication methods will be supported for publishing packages in the future: local publishing with mandatory two-factor authentication, time-limited granular tokens with a maximum validity of seven days, and trusted publishing.
Drastic changes to tokens and 2FA
The planned security improvements go far beyond previous measures. GitHub wants to completely abolish classic legacy tokens and replace time-based one-time passwords (TOTP) for two-factor authentication with FIDO-based procedures. Granular tokens with publishing authorization will have a significantly shorter validity period.
Particularly drastic: publishing access will prohibit token-based authentication by default. Developers should switch to trusted publishing or local publishing with mandatory 2FA instead. The option to bypass two-factor authentication for local package publishing will be completely removed.
Videos by heise
Trusted publishing as a key technology
GitHub is increasingly relying on Trusted Publishing, a security technology recommended by the OpenSSF Securing Software Repositories Working Group. The process eliminates the need to manage API tokens in build systems and has already been implemented by PyPI, RubyGems, crates.io, and NuGet.
Originally, GitHub wanted to wait for the organic growth of Trusted Publishing. However, recent attacks have shown that faster action is required. The company is therefore planning to expand the number of supported providers for Trusted Publishing.
Immediate countermeasures after Shai-Hulud
In response to the Shai Hulud worm, GitHub had already removed over 500 compromised packages from the npm registry and blocked the upload of new packages with corresponding indicators. The worm had spread by injecting malicious post-install scripts into popular JavaScript packages, stealing various types of secrets.
GitHub announced that the security changes would be rolled out gradually to minimize disruption. The company wants to guide developers through the transition with clear timelines, documentation, migration guides, and support channels. Maintainers can already switch to Trusted Publishing and tighten their publishing settings for accounts, organizations, and packages.
(mack)
