GitHub is taking decisive steps to enhance the security of the NPM ecosystem following a series of alarming supply chain attacks. These incidents have raised significant concerns among developers and users alike, prompting a review of authentication and publishing protocols within the NPM registry.
In the past three months, the NPM ecosystem has faced multiple attacks, culminating in the recent deployment of the Shai-Hulud self-replicating worm. This attack compromised 195 packages and led to the publication of over 500 malicious package versions on the registry. Just a week prior, 18 NPM packages maintained by developer Josh Junon were injected with malware after he was targeted by a phishing campaign masquerading as NPM support. With these packages collectively amassing over 2.5 billion weekly downloads, the impact of these breaches has been substantial.
In July, another wave of attacks saw multiple packages with a combined weekly download count exceeding 30 million fall victim to typosquatting, where attackers impersonated legitimate Node.js package maintainers. The frequency and severity of these incidents prompted GitHub to take swift action.
According to GitHub, the Shai-Hulud attack underscored the urgency of improving security measures. The platform, in collaboration with the open-source community, acted quickly to remove malicious packages and block further uploads that could have led to an even larger number of infections. “By combining self-replication with the capability to steal multiple types of secrets, this worm could have enabled an endless stream of attacks had it not been for timely action from GitHub and open source maintainers,” GitHub stated.
To mitigate the risks associated with token abuse and self-replicating malware, GitHub will implement a series of measures. Starting soon, local publishing will only be permitted with two-factor authentication (2FA). Additionally, GitHub plans to introduce granular tokens that will expire after just seven days, along with a feature known as trusted publishing. This security capability will reduce the reliance on long-lived tokens by utilizing short-lived and tightly scoped API tokens, ensuring that packages originate from specific source systems.
GitHub emphasized the importance of trusted publishing, stating, “When NPM released support for trusted publishing, it was our intention to let adoption of this new feature grow organically. However, attackers have shown us that they are not waiting. We strongly encourage projects to adopt trusted publishing as soon as possible, for all supported package managers.”
Further changes include the deprecation of legacy classic tokens and time-based one-time passwords (TOTP) for 2FA. GitHub will also shorten the expiration period for granular tokens that have publishing permissions, modify publishing access to disable tokens by default, prevent 2FA bypass for local package publishing, and expand the list of eligible providers for trusted publishing.
Acknowledging the potential impact of these changes, GitHub stated, “We recognize that some of the security changes we are making may require updates to your workflows. We are going to roll these changes out gradually to ensure we minimize disruption while strengthening the security posture of NPM.”
Developers and maintainers are encouraged to transition to trusted publishing as soon as possible, ensure that 2FA is enforced for publishing, and utilize WebAuthn instead of TOTP when configuring 2FA. As the NPM ecosystem continues to grow, GitHub’s proactive measures aim to safeguard it against evolving threats, ensuring a secure environment for all users.
