- GitHub will enforce 2FA and deprecate legacy tokens to improve package publishing security
- Trusted Publishing will expand, and token-based publishing will be restricted by default
- Shai-Hulud worm breached npm, prompting removal of over 500 compromised packages
Following a number of recent high-profile attacks and hacking attempts, GitHub has decided to make substantial changes to the security of its platform.
In a blog post, GitHub detailed changes to authentication and publishing, set to go live “in the near future”, with the aim of hardening package publication.
The announcement notes authentication and publishing options will be changed to include local publishing with required 2FA, granular tokens with a seven-day expiration date, and Trusted Publishing.
Extra authentication and protection
Furthermore, GitHub announced it would deprecate legacy classic tokens, as well as time-based one-time password (TOTP) 2FA, forcing users to migrate to FIDO-based 2FA. It will also limit granular tokens with publishing permissions to a shorter expiration, and set publishing access to disallow tokens by default (this should make users go for trusted publishers or 2FA enforced local publishing).
The option to bypass 2FA for local package publishing will be removed, while the list of eligible providers for trusted publishing will be expanded.
“We recognize that some of the security changes we are making may require updates to your workflows,” GitHub explained.
“We are going to roll these changes out gradually to ensure we minimize disruption while strengthening the security posture of npm. We’re committed to supporting you through this transition and will provide future updates with clear timelines, documentation, migration guides, and support channels.”
One example is the recent Shai-Hulud attack, where a self-replicating worm malware infiltrated the npm ecosystem via a compromised maintainer account, and went about stealing all kinds of secrets from software developers.
The attack forced GitHub to remove more than 500 compromised packages, as well as block the upload of new packages containing whatever indicators of compromise were available at the time.
