In response to two recent security incidents involving the NPM registry, GitHub has announced that it will require two-factor authentication (2FA) for maintainers and administrators of popular JavaScript packages on NPM. This new policy aims to safeguard against account takeovers, a growing concern as the repository becomes an increasingly attractive target for malicious actors. GitHub, which acquired NPM in 2020, will implement the 2FA requirement starting with a group of top packages in the first quarter of 2022, with plans to expand it further as needed.
The move to enforce 2FA comes after multiple incidents where NPM accounts were compromised and used to inject harmful code into widely-used packages. GitHub has been monitoring these types of threats closely, and the latest measures are designed to make it more difficult for attackers to gain unauthorized access to critical accounts. The company pointed to two specific security breaches that prompted the decision to implement tighter controls on the registry.
The first incident occurred on October 26, when a routine maintenance procedure on a publicly available NPM service led to the unintended exposure of private package names. The database maintenance process on a public NPM replica caused records to be created that could potentially reveal the names of private packages. While no other sensitive information, such as the contents of these packages, was exposed, package names in the format of @owner/package were briefly visible between October 21 and October 29. GitHub quickly rectified the issue by removing the records and putting safeguards in place to prevent similar occurrences in the future.
The second incident took place on November 2, when GitHub was alerted to a vulnerability that could have allowed attackers to publish unauthorized new versions of any NPM package. GitHub responded swiftly, patching the vulnerability within six hours of receiving the report. These two incidents highlighted the need for stronger security measures, which led GitHub to implement the mandatory 2FA policy for high-risk NPM package maintainers to ensure that the registry remains secure and trustworthy for developers worldwide.