Attackers are constantly finding ways to take over accounts and push malicious packages to the npm registry, the (GitHub-operated) online repository for JavaScript and Node.js packages.
But in this month alone, we witnessed the compromise of popular code packages after a successful phishing campaign, and the Shai-Hulud attack, which involved the use of a self-replicating worm-like payload that ultimately compromised over 500 packages and compromised many secrets.
While GitHub has managed to put a stop to Shai-hulud’s replication and has blocked the uploading of new packages containing the malware’s indicators of compromise, they also realized that they will have to make changes to prevent similar attacks in the future.
Planned security improvements
GitHub is working towards a future where:
1. Local package publishing will require 2FA
GitHub is planning to remove the option to bypass 2FA for local package publishing, and will deprecate time-based one-time password (TOTP) 2FA. Users will be migrated to FIDO-based 2FA.
2. Trusted publishing is adopted and used more widely
Trusted publishing is a system that lets package repositories trust specific workflows or services to publish code using short-lived OpenID Connect identity tokens instead of long-lived API keys. This reduces the chance of stolen credentials being used to spread malicious packages.
At the moment, npm trusted publishing only supports GitHub Actions and GitLab Pipelines, but GitHub plans to expand the list of eligible CI/CD providers for trusted publishing.
Adding a trusted publisher on npmjs.com (Source: npm registry)
3. The granular access tokens will have a restricted lifetime
Granular tokens with publishing permissions will have a maximum lifetime of 7 days. Legacy classic tokens will be deprecated. Publishing access will disallow tokens by default and push users towards trusted publishers or 2FA enforced local publishing.
A gradual rollout
“We recognize that some of the security changes we are making may require updates to your workflows. We are going to roll these changes out gradually to ensure we minimize disruption while strengthening the security posture of npm,” said Xavier René-Corail, GitHub’s senior director of security research.
“We’re committed to supporting you through this transition and will provide future updates with clear timelines, documentation, migration guides, and support channels.”
In the meantime, npm maintainers have been encouraged to switch to WebAuthn for two-factor authentication; start using npm trusted publishing instead of tokens; and enforce the use of 2FA for package publishing and settings modification.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
