.png)
3 weeks ago
3
Following several large-scale attack waves on the NPM ecosystem, its operators are now taking measures to prevent a recurrence. In August and September, unknown attackers not only took over several developer accounts but also injected a worm that independently infected further Node projects. To spread, it used “Shai-Hulud” authentication tokens, which are now being targeted.
NPM operator GitHub has already taken the first steps—since October 13th, granular NPM access tokens are no longer valid indefinitely but only for a maximum of 90 days, with the default duration now being 7 instead of 30 days. Two-factor authentication using TOTP (time-based one time password) can no longer be newly set up for NPM package maintainers. Those who already use TOTP as a second factor for login can continue to do so for now but will soon have to switch to WebAuthn/Passkeys.
Classic Tokens will be buried very soon
GitHub is completely burying the so-called "classic tokens" for authentication (e.g., in automations or CI/CD pipelines) by early November. The company is revoking existing tokens for NPM package publishers, and no new ones can be created on npmjs.com in the future. Affected parties must immediately obtain new, granular tokens and update their automations so that they do not run into the proverbial wall after the change.
With these steps, GitHub is partly implementing an announcement from late September – developers and DevOps are challenged. GitHub explicitly emphasizes their responsibility: “We understand that these changes require effort from the community. Securing NPM is a shared responsibility.” The changes will cause temporary friction but are necessary to counter future attacks.
And compared to the September announcement, the developer platform belonging to Microsoft is even stepping on the gas a bit more: while it was still talking about mid-November as the deletion date for “Classic Tokens,” GitHub is now talking about the beginning of the same month in an email sent to developers. Curious: Although the first steps started on Monday, October 13th, some npm package maintainers only received the newsletter three days later.
Outlook: Trusted Publishing
In the future, GitHub wishes for package maintainers to switch to the approach of “trusted publishing” and to completely forgo long-lived access tokens. Instead, occasion-based access rights should be granted via the CI/CD provider, i.e., GitHub Actions or GitLab CI/CD. This would prevent tokens from being lost and also lead to better traceability, according to the company in the blog.
(cku)
