Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

GitHub strengthens npm security against supply chain attacks.

Redazione RHC : 24 September 2025 07:16

GitHub has announced major changes to its npm authentication and publishing system, aimed at strengthening protection against supply chain attacks. The updates were prompted by the recent Shai-Hulud campaign, a malicious, self-propagating worm embedded in hundreds of npm libraries. Not only did it replicate itself in other packages, but it also scanned developers’ devices for sensitive data, including keys and tokens, and transmitted it to attackers.

In response to the incident, GitHub announced that it would soon eliminate legacy permission mechanisms and introduce stricter controls.

Key changes include mandatory two-factor authentication for local publishing and the move to short-lived tokens with a maximum validity of seven days. Additionally, the company will actively promote the use of Trusted Publishing, a system based on the OpenID Connect protocol that allows direct publishing of packages from CI/CD without a token.

Trusted Publishing creates a cryptographically verifiable link between a published package and its build environment. The npm command line interface automatically generates and attaches a proof of authenticity to the release, allowing any user to verify where and under what conditions the package was built. This solution aims to increase transparency and trust in software component vendors.

The transition to the new system will include the following changes:

  • classic tokens previously used for publishing;
  • discontinuation of TOTP as a 2FA method in favor of FIDO-compatible physical keys;
  • limit the validity period of detailed tokens, especially those that grant publishing rights;
  • Token publishing blocked by default: Trusted publishing or manual upload with 2FA will be given preference;
  • removal of exceptions that allow two-factor protection bypassing during local publishing;
  • expanding the list of CI/CD providers suitable for trusted publishing.

According to GitHub, this should dramatically reduce attackers’ ability to take over NPM infrastructure via counterfeit or stolen tokens, especially given the scale of the Shai-Hulud attack.

The tipping point was a recently discovered malware that was capable not only of replicating itself but also of stealing various types of secrets, going far beyond compromising a single ecosystem. The company emphasizes that without the community’s timely intervention and response, the consequences could have been much more severe.

The new delivery model aims to reduce reliance on tokens as a single point of failure and increase the level of verification of every packet placement action.

These measures represent not only a response to a specific attack, but also a strategic review of the entire security system, based on the principles of privilege minimization and cryptographic verification.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli