GitHub Improves npm Account Security as Incidents Rise

Microsoft-owned GitHub this week announced new npm security improvements, amid an increase in incidents involving malicious npm packages.

The new improvements follow the rollout of an enhanced verification for npm accounts that was announced in March, and accompany the mandatory two-factor authentication (2FA) feature that the code-sharing platform has been rolling out over the past couple of months.

After introducing the new 2FA experience in beta, GitHub is now making it available in npm 8.15.0, as an opt-in feature – it will become the default in npm 9.

With the new experience, login and publishing are managed in the browser, so that users can login to an existing session by providing the second factor or email verification only, while also being able to publish multiple times using the same IP and access token without seeing the 2FA prompt for five minutes.

Now, developers can also link their npm accounts with their GitHub and Twitter accounts, courtesy of new integrations on both platforms, which will help verify accounts and recover them more easily.

“We will no longer be showing the previously unverified GitHub or Twitter data on public user profiles, making it possible for developers to audit identities and trust that an account is who they say they are,” GitHub explains.

Additionally, GitHub announced a new ‘audit signatures’ command available starting with npm CLI version 8.13.0, which should simplify the process of verifying the signatures of npm packages.

“Our next major milestone will be enforcing 2FA for all high-impact accounts, those that manage packages with more than 1 million weekly downloads or 500 dependents, tripling the number of accounts we will require to adopt a second factor,” GitHub also notes.

GitHub’s security improvements were announced amid an increase in cyberattacks targeting npm users, with multiple such incidents reported since the beginning of the year.

In early July, ReversingLabs warned of more than two dozen malicious npm packages exfiltrating user data from mobile and desktop applications. The campaign was focused on disseminating malicious JavaScript via the open source npm package manager.

In March, Checkmarx warned of a threat actor fully automating the creation and delivery of hundreds of malicious npm packages. The attackers opened hundreds of accounts – one per package – to make the attack more difficult to detect.

Also in March, Snyk warned of a weaponized npm package targeting users in Russia and Belarus, to replace their files with a heart emoji. This was the destructive act of a single maintainer.

In February, Mend Diffend (formerly WhiteSource Diffend) reported that, over the course of six months, it had identified more than 1,300 malicious npm packages designed for credentials or cryptocurrency theft, or for running botnets.

The most recent of these reports came this week from Kaspersky, which has detailed LofyLife, a malicious campaign involving four npm packages containing Python and JavaScript code designed to steal Discord tokens and infect Discord files to monitor victim actions – such as logins, credential changes, and payment method modifications.

In late April, GitHub disclosed a highly targeted incident that resulted in dozens of private repositories being downloaded by unknown attackers using stolen OAuth user tokens.

Related: GitHub Confirms Another Major NPM Security Defect

Related: ‘Critical Severity’ Warning: Malware Found in Widely Deployed npm Packages

Related: ‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library