GitHub acts on npm security after Shai-Hulud worm attack

Microsoft-owned repository GitHub has responded to recent node package manager (npm) attacks such as the Shai-Hulud self-replicating worm, attempting to restore trust in the open-source ecosystem.

Senior director of security research Xavier René-Corail unveiled a roadmap for npm to secure the publication of packages.

Among the changes being implemented is two-factor authentication (2FA) being required for local publishing, and granular tokens that let developers restrict which packages and scopes the credentials have access to.

Granular tokens can also be restricted to specific organisations, have expiration dates, be limited to particular Internet Protocol ranges, and be set to read-only, or have read and write access.

The Trusted Publishing authentication method from the Python Software Foundation to remove application programming interface (API) tokens from application build pipelines will also be introduced, René-Corail said.

This uses the OpenID Connect Standard for user infrastructure publishing, and is built on Open Authentication 2.0.

Npm maintainers can start using Trusted Publishing instead of tokens now, and use the Web Authentication (WebAuthn) API rather than TOTP challenge and response codes which can be captured through adversary-in-the-middle attacks.

To tighten security, legacy classic tokens for npm will be deprecated along with time based on time passwords (TOTP) for 2FA; instead, users will be migrated to the more secure Fast Identity Online (FIDO) 2FA.

René-Corail said the changes will be rolled out gradually, but didn't provide a specific timeframes, saying these will be provided with documentation, migration guides and support channels for developers.

"We recognise that some of the security changes we are making may require updates to your workflow," he added.

The npm ecosystem has been targeted by supply chain attackers for some time now, with popular packages being compromised with malicious code.

On top of the Shai-Hulud worm, September this year saw another successful attack that added malicious code to 2.7 billion npm JavaScript packages, for the purposes of stealing crypto-currency.

As for the Shai-Hulud hack, René-Corail said that had not GitHub and open source maintainers acted in a timely fashion, "this worm could've enabled an endless stream of attacks".