Ethical Hacking News
GitHub has taken steps to tighten security in its npm registry following a series of phishing attacks and malware incidents. The company plans to remove legacy authentication methods and implement trusted publishing with two-factor authentication, aiming to enhance security for JavaScript package management.
NPM registry has removed over 500 compromised packages and blocked others from upload. Legacy authentication methods will be removed, with token lifetimes shortened and Trusted Publishing implemented as default. Trusted Publishing uses OpenID Connect to verify package source and issue short-lived tokens. Some developers are skeptical about the effectiveness of Trusted Publishing in addressing security concerns. GitHub is expanding eligible providers for trusted publishing, including cloud-hosted runners.
GitHub, a leading platform for JavaScript package management, has taken significant steps to enhance security measures for its npm registry. This move comes in response to recent phishing attacks on package maintainers and the discovery of hundreds of compromised packages infected with secret-stealing malware.
According to Xavier René-Corail, security lab lead at GitHub, over 500 compromised packages have been removed from the registry, while others have been blocked from upload by security scanning. These measures are part of a broader effort to strengthen security in the npm registry.
René-Corail explained that many existing authentication methods will be removed "in the near future," including legacy classic tokens and one-time passwords for two-factor authentication (2FA). Token lifetimes will also be shortened, with a switch to trusted publishing and 2FA-enforced local publishing by default.
Trusted publishing was first adopted by PyPI package index and is designed for automated workflows. Using OpenID Connect, the package repository verifies that a package comes from a trusted source and issues a short-lived token, avoiding the risks of long-lived tokens that can be stolen. Currently, npm trusted publishing only supports GitHub Actions and GitLab CI/CD pipelines.
However, not all developers are convinced that trusted publishing is enough to address security concerns. Andrey Sitnik, maintainer of popular project postcss, expressed doubt about OIDC Trusted Publisher, stating that adding Trusted Publisher via CI increases risks. He also mentioned using 2FA to publish with a hardware key like YubiKey and worried that malware from postcss's node_modules could make commits and tags and push it to GitHub.
Another developer requested further steps from GitHub, such as making it possible to require more than one review and to make it harder for a single compromised account to revert changes. This highlights the need for continued collaboration between developers and security experts to ensure that npm registry security is adequate.
The implementation of these new measures will be gradual, with the team planning to roll out the changes gradually, pending the announcement of the timing. While this approach may help minimize disruptions, it also underscores the challenges of transitioning from existing workflows to new ones.
In addition to enhancing security, GitHub has taken steps to expand eligible providers for trusted publishing, including cloud-hosted GitHub runners and self-hosted runners in a future release. This expansion aims to increase flexibility and accessibility for developers.
Phishing attacks on package maintainers have been a recurring issue, with recent incidents targeting PHP, Quantum key distribution, Ransomware, Remote Access Trojan, REvil, RSA Conference, Software bug, Spamming, Spyware, Surveillance, TLS, Trojan, Trusted Platform Module, Vulnerability, Wannacry, and Zero trust.
The npm registry has faced numerous security challenges in recent months. Dev snared in crypto phishing net, 18 npm packages compromised, a popular npm package was debugged after being hijacked in a massive supply chain attack. The incident highlighted the risks of relying on external dependencies for software development.
In conclusion, GitHub's efforts to strengthen npm registry security are a significant step towards mitigating the impact of recent phishing attacks and malware incidents. While there is still work to be done, these measures demonstrate the company's commitment to ensuring the integrity of its platform and protecting developers from potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Github-Tightens-Npm-Security-Amidst-Phishing-Attacks-and-Malware-Plague-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/23/github_npm_registry_security/
https://www.theregister.com/2025/09/23/github_npm_registry_security/
https://fieldeffect.com/blog/self-propagating-malware-targets-github-npm-ecosystems
Published: Tue Sep 23 10:44:18 2025 by llama3.2 3B Q4_K_M
