Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

GitHub Improves npm Account Security as Incidents Rise

Microsoft-owned GitHub this week announced new npm security improvements, amid an increase in incidents involving malicious npm packages.

Microsoft-owned GitHub this week announced new npm security improvements, amid an increase in incidents involving malicious npm packages.

The new improvements follow the rollout of an enhanced verification for npm accounts that was announced in March, and accompany the mandatory two-factor authentication (2FA) feature that the code-sharing platform has been rolling out over the past couple of months.

After introducing the new 2FA experience in beta, GitHub is now making it available in npm 8.15.0, as an opt-in feature – it will become the default in npm 9.

With the new experience, login and publishing are managed in the browser, so that users can login to an existing session by providing the second factor or email verification only, while also being able to publish multiple times using the same IP and access token without seeing the 2FA prompt for five minutes.

Now, developers can also link their npm accounts with their GitHub and Twitter accounts, courtesy of new integrations on both platforms, which will help verify accounts and recover them more easily.

“We will no longer be showing the previously unverified GitHub or Twitter data on public user profiles, making it possible for developers to audit identities and trust that an account is who they say they are,” GitHub explains.

Additionally, GitHub announced a new ‘audit signatures’ command available starting with npm CLI version 8.13.0, which should simplify the process of verifying the signatures of npm packages.

“Our next major milestone will be enforcing 2FA for all high-impact accounts, those that manage packages with more than 1 million weekly downloads or 500 dependents, tripling the number of accounts we will require to adopt a second factor,” GitHub also notes.

Advertisement. Scroll to continue reading.

GitHub’s security improvements were announced amid an increase in cyberattacks targeting npm users, with multiple such incidents reported since the beginning of the year.

In early July, ReversingLabs warned of more than two dozen malicious npm packages exfiltrating user data from mobile and desktop applications. The campaign was focused on disseminating malicious JavaScript via the open source npm package manager.

In March, Checkmarx warned of a threat actor fully automating the creation and delivery of hundreds of malicious npm packages. The attackers opened hundreds of accounts – one per package – to make the attack more difficult to detect.

Also in March, Snyk warned of a weaponized npm package targeting users in Russia and Belarus, to replace their files with a heart emoji. This was the destructive act of a single maintainer.

In February, Mend Diffend (formerly WhiteSource Diffend) reported that, over the course of six months, it had identified more than 1,300 malicious npm packages designed for credentials or cryptocurrency theft, or for running botnets.

The most recent of these reports came this week from Kaspersky, which has detailed LofyLife, a malicious campaign involving four npm packages containing Python and JavaScript code designed to steal Discord tokens and infect Discord files to monitor victim actions – such as logins, credential changes, and payment method modifications.

In late April, GitHub disclosed a highly targeted incident that resulted in dozens of private repositories being downloaded by unknown attackers using stolen OAuth user tokens.

Related: GitHub Confirms Another Major NPM Security Defect

Related: ‘Critical Severity’ Warning: Malware Found in Widely Deployed npm Packages

Related: ‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.