GitHub Enhances npm Security with Mandatory 2FA and Other Measures
GitHub has announced a new set of protective measures designed to counter supply chain attacks—an escalating problem that has led to several major incidents on the platform in recent months.
A String of High-Profile Attacks
Several large-scale compromises have highlighted the risks facing GitHub and npm:
- August: the “s1ngularity” incident exposed data from 2,180 accounts and affected 7,200 repositories.
- September: the malicious “GhostAction” campaign led to widespread theft of secrets, including PyPI, npm, DockerHub, GitHub tokens, and Cloudflare and AWS API keys.
- Last week: researchers uncovered “Shai-Hulud,” a self-propagating worm inside npm.
Although GitHub engineers responded quickly and helped mitigate the damage, the company acknowledges that proactive defenses are now essential.
Planned Security Measures
GitHub reports it is implementing several major changes to reduce supply chain risks:
- Mandatory two-factor authentication (2FA) for local publishes
- Enforced use of granular tokens with a 7-day validity period
- Expansion and promotion of trusted publishing
- Phasing out classic tokens and TOTP 2FA in favor of FIDO-based 2FA
- Shorter validity periods for publish tokens
- Default publish access excluding token usage
- Removal of the ability to bypass 2FA for local publishes
These measures will be rolled out gradually, with documentation and migration guides provided to minimize disruption for developers.
Push Toward Trusted Publishing
GitHub strongly recommends adopting trusted publishing, which eliminates the need to manage API tokens in build systems and is already gaining traction in other ecosystems.
npm maintainers are advised to:
- Switch immediately to trusted publishing,
- Enforce 2FA for publishing and recording, and
- Use WebAuthn instead of TOTP for authentication.
A Collective Responsibility
In its announcement, GitHub emphasized that securing the ecosystem is a shared responsibility. While the platform will enforce stronger guardrails, developers themselves must also take steps to minimize supply chain risks using available protections.
RubyGems Faces Similar Challenges
The move comes as other ecosystems also confront supply chain threats. RubyGems developers recently rolled out security enhancements after two notable incidents:
- June: discovery of malware mimicking Fastlane and stealing Telegram API data
- August: detection of 60 malicious packages that had been downloaded more than 275,000 times
For now, administrative rights remain solely with the Ruby Central team until a new governance model is established. Developers promise a more transparent system with greater community participation, though many Ruby community members currently see the changes as a power grab.
