https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
In response to a surge in damaging account takeovers and malicious package distribution on the npm registry, GitHub is taking decisive action to strengthen the security of the open-source software ecosystem.
Recent incidents, such as the Shai-Hulud attack that infiltrated the npm ecosystem through compromised maintainer accounts, have highlighted the critical need to raise the bar on authentication and secure publishing practices. To address these threats, GitHub will be implementing changes to the npm registry, including requiring two-factor authentication for local publishing, introducing granular tokens with limited lifetimes, and expanding the use of trusted publishing.
By deprecating legacy token-based authentication, migrating to FIDO-based two-factor authentication, and setting publishing access to disallow tokens by default, GitHub aims to significantly reduce the risk of token abuse and self-replicating malware. The company recognizes that these security improvements may require updates to workflow, and they are committed to supporting the open-source community through the transition with clear timelines, documentation, and migration guides.
GitHub’s efforts, combined with the broader software community’s commitment to fortifying the security of the global software supply chain, underscore the shared responsibility in safeguarding the open-source ecosystem. The company encourages npm maintainers to adopt trusted publishing as soon as possible to further enhance the security and integrity of the npm registry.