GitHub strengthens npm security against supply chain attacks.

GitHub has announced major changes to its npm authentication and publishing system, aimed at strengthening protection against supply chain attacks. The updates were prompted by the recent Shai-Hulud campaign, a malicious, self-propagating worm embedded in hundreds of npm libraries. Not only did it replicate itself in other packages, but it also scanned developers’ devices for sensitive data, including keys and tokens, and transmitted it to attackers.

In response to the incident, GitHub announced that it would soon eliminate legacy permission mechanisms and introduce stricter controls.

Key changes include mandatory two-factor authentication for local publishing and the move to short-lived tokens with a maximum validity of seven days. Additionally, the company will actively promote the use of Trusted Publishing, a system based on the OpenID Connect protocol that allows direct publishing of packages from CI/CD without a token.

Trusted Publishing creates a cryptographically verifiable link between a published package and its build environment. The npm command line interface automatically generates and attaches a proof of authenticity to the release, allowing any user to verify where and under what conditions the package was built. This solution aims to increase transparency and trust in software component vendors.

The transition to the new system will include the following changes:

• classic tokens previously used for publishing;
• discontinuation of TOTP as a 2FA method in favor of FIDO-compatible physical keys;
• limit the validity period of detailed tokens, especially those that grant publishing rights;
• Token publishing blocked by default: Trusted publishing or manual upload with 2FA will be given preference;
• removal of exceptions that allow two-factor protection bypassing during local publishing;
• expanding the list of CI/CD providers suitable for trusted publishing.

According to GitHub, this should dramatically reduce attackers’ ability to take over NPM infrastructure via counterfeit or stolen tokens, especially given the scale of the Shai-Hulud attack.

The tipping point was a recently discovered malware that was capable not only of replicating itself but also of stealing various types of secrets, going far beyond compromising a single ecosystem. The company emphasizes that without the community’s timely intervention and response, the consequences could have been much more severe.

The new delivery model aims to reduce reliance on tokens as a single point of failure and increase the level of verification of every packet placement action.

These measures represent not only a response to a specific attack, but also a strategic review of the entire security system, based on the principles of privilege minimization and cryptographic verification.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The Red Hot Cyber Editorial Team provides daily updates on bugs, data breaches, and global threats. Every piece of content is validated by our community of experts, including Pietro Melillo, Massimiliano Brolli, Sandro Sana, Olivia Terragni, and Stefano Gazzella. Through synergy with our industry-leading partners—such as Accenture, CrowdStrike, Trend Micro, and Fortinet—we transform technical complexity into collective awareness. We ensure information accuracy by analyzing primary sources and maintaining a rigorous technical peer-review process.