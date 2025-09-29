GitHub acts on npm security after Shai-Hulud worm attack

By
Follow google news

Enhanced trusted publishing to limit ongoing supply chain attacks.

Microsoft-owned repository GitHub has responded to recent node package manager (npm) attacks such as the Shai-Hulud self-replicating worm, attempting to restore trust in the open-source ecosystem.

GitHub acts on npm security after Shai-Hulud worm attack

Senior director of security research Xavier René-Corail unveiled a roadmap for npm to secure the publication of packages.

Among the changes being implemented is two-factor authentication (2FA) being required for local publishing, and granular tokens that let developers restrict which packages and scopes the credentials have access to.

Granular tokens can also be restricted to specific organisations, have expiration dates, be limited to particular Internet Protocol ranges, and be set to read-only, or have read and write access.

The Trusted Publishing authentication method from the Python Software Foundation to remove application programming interface (API) tokens from application build pipelines will also be introduced, René-Corail said.

This uses the OpenID Connect Standard for user infrastructure publishing, and is built on Open Authentication 2.0.

Npm maintainers can start using Trusted Publishing instead of tokens now, and use the Web Authentication (WebAuthn) API rather than TOTP challenge and response codes which can be captured through adversary-in-the-middle attacks.

To tighten security, legacy classic tokens for npm will be deprecated along with time based on time passwords (TOTP) for 2FA; instead, users will be migrated to the more secure Fast Identity Online (FIDO) 2FA.

René-Corail said the changes will be rolled out gradually, but didn't provide a specific timeframes, saying these will be provided with documentation, migration guides and support channels for developers.

"We recognise that some of the security changes we are making may require updates to your workflow," he added.

The npm ecosystem has been targeted by supply chain attackers for some time now, with popular packages being compromised with malicious code.

On top of the Shai-Hulud worm, September this year saw another successful attack that added malicious code to 2.7 billion npm JavaScript packages, for the purposes of stealing crypto-currency.

As for the Shai-Hulud hack, René-Corail said that had not GitHub and open source maintainers acted in a timely fashion, "this worm could've enabled an endless stream of attacks".

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
githubnpmsecurityshaihulud worm

Sponsored Whitepapers

Optus Enterprise Mobility
Optus Enterprise Mobility
Life After VMware: Scale Securely with mCloud by Micron21
Life After VMware: Scale Securely with mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
What 4 wholesale distribution challenges aren&#8217;t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape

Events

Most Read Articles

US Secret Service seizes New York City SIM farm near UN

US Secret Service seizes New York City SIM farm near UN
Optus firewall upgrade behind 13-hour Triple Zero outage

Optus firewall upgrade behind 13-hour Triple Zero outage
Jaguar Land Rover cyberattack shutdown to hit four weeks

Jaguar Land Rover cyberattack shutdown to hit four weeks
ACMA proposes digital ID for prepaid mobile SIM verification

ACMA proposes digital ID for prepaid mobile SIM verification
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?