In the light of recent supply chain attacks targeting the NPM ecosystem, GitHub will implement tighter authentication and publishing rules meant to improve the NPM registry’s security.
Several major incidents occurred over the past three months, with the most recent involving the Shai-Hulud self-replicating worm that impacted dozens of maintainer accounts last week. The attackers compromised 195 packages and pushed over 500 malicious package versions to the registry.
A week before, 18 NPM packages maintained by Josh Junon were injected with malware after the maintainer fell victim to a phishing campaign impersonating NPM support. The packages have over 2.5 billion weekly downloads.
In July, multiple packages with combined weekly downloads of over 30 million were poisoned after attackers using typosquatting to impersonate the Node.js package registry targeted their maintainers.
According to GitHub, the Shai-Hulud attack triggered swift action from the platform and the community to remove the malicious packages and block the upload of new malware that could have led to a significantly higher number of infections.
“By combining self-replication with the capability to steal multiple types of secrets (and not just npm tokens), this worm could have enabled an endless stream of attacks had it not been for timely action from GitHub and open source maintainers,” GitHub notes.
To prevent the risks associated with token abuse and self-replicating malware, the Microsoft-owned code hosting platform will only allow local publishing with two-factor authentication (2FA), and will implement granular tokens that will expire after seven days, along with trusted publishing.
A recommended security capability, trusted publishing removes the need for the management of long-lived tokens, relying instead on short-lived and tightly scoped API tokens and ensuring that a package comes from a specific source system.
“When NPM released support for trusted publishing, it was our intention to let adoption of this new feature grow organically. However, attackers have shown us that they are not waiting. We strongly encourage projects to adopt trusted publishing as soon as possible, for all supported package managers,” GitHub notes.
Additionally, the platform will deprecate legacy classic tokens and time-based one-time password (TOTP) 2FA. It will also set a shorter expiration for granular tokens with publishing permissions, change publishing access to disallow tokens by default, prevent 2FA bypass for local package publishing, and expand eligible providers for trusted publishing.
“We recognize that some of the security changes we are making may require updates to your workflows. We are going to roll these changes out gradually to ensure we minimize disruption while strengthening the security posture of NPM,” GitHub says.
GitHub encourages maintainers to switch to trusted publishing as soon as possible, to ensure 2FA is required for publishing, and to use WebAuthn instead of TOTP when configuring 2FA.
Related: Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit
Related: Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems
Related: Ongoing Campaign Uses 60 NPM Packages to Steal Data
Related: Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack
