Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

GitHub Improves npm Account Security as Incidents Rise

Microsoft-owned GitHub this week announced new npm security improvements, amid an increase in incidents involving malicious npm packages.

Microsoft-owned GitHub this week announced new npm security improvements, amid an increase in incidents involving malicious npm packages.

The new improvements follow the rollout of an enhanced verification for npm accounts that was announced in March, and accompany the mandatory two-factor authentication (2FA) feature that the code-sharing platform has been rolling out over the past couple of months.

After introducing the new 2FA experience in beta, GitHub is now making it available in npm 8.15.0, as an opt-in feature – it will become the default in npm 9.

With the new experience, login and publishing are managed in the browser, so that users can login to an existing session by providing the second factor or email verification only, while also being able to publish multiple times using the same IP and access token without seeing the 2FA prompt for five minutes.

Now, developers can also link their npm accounts with their GitHub and Twitter accounts, courtesy of new integrations on both platforms, which will help verify accounts and recover them more easily.

“We will no longer be showing the previously unverified GitHub or Twitter data on public user profiles, making it possible for developers to audit identities and trust that an account is who they say they are,” GitHub explains.

Additionally, GitHub announced a new ‘audit signatures’ command available starting with npm CLI version 8.13.0, which should simplify the process of verifying the signatures of npm packages.

“Our next major milestone will be enforcing 2FA for all high-impact accounts, those that manage packages with more than 1 million weekly downloads or 500 dependents, tripling the number of accounts we will require to adopt a second factor,” GitHub also notes.

GitHub’s security improvements were announced amid an increase in cyberattacks targeting npm users, with multiple such incidents reported since the beginning of the year.

In early July, ReversingLabs warned of more than two dozen malicious npm packages exfiltrating user data from mobile and desktop applications. The campaign was focused on disseminating malicious JavaScript via the open source npm package manager.

In March, Checkmarx warned of a threat actor fully automating the creation and delivery of hundreds of malicious npm packages. The attackers opened hundreds of accounts – one per package – to make the attack more difficult to detect.

Also in March, Snyk warned of a weaponized npm package targeting users in Russia and Belarus, to replace their files with a heart emoji. This was the destructive act of a single maintainer.

In February, Mend Diffend (formerly WhiteSource Diffend) reported that, over the course of six months, it had identified more than 1,300 malicious npm packages designed for credentials or cryptocurrency theft, or for running botnets.

The most recent of these reports came this week from Kaspersky, which has detailed LofyLife, a malicious campaign involving four npm packages containing Python and JavaScript code designed to steal Discord tokens and infect Discord files to monitor victim actions – such as logins, credential changes, and payment method modifications.

In late April, GitHub disclosed a highly targeted incident that resulted in dozens of private repositories being downloaded by unknown attackers using stolen OAuth user tokens.

Related: GitHub Confirms Another Major NPM Security Defect

Related: ‘Critical Severity’ Warning: Malware Found in Widely Deployed npm Packages

Related: ‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.