This 2-factor authentication ruling will apply to both maintainers, as well as administrators of the most popular packages on the NPM registry. According to GitHub, even a simple registry-wide 2FA requirement would be able to prevent any account takeovers on NPM. This was detailed further in a blog post published on November 19th. The site-wide 2FA policy will take effect for users of the top-most NPM packages starting in the first quarter of 2022.
How Did We Get Here?
Several times now, GitHub’s developers and security teams have spotted illicit activity within NPM’s registries. It categories these incidents as cases where compromised NPM accounts are used to insert infected code into some of the most popular packages to date. Worse, these bad actors can infect any package whereby those accounts – now compromised – have access to. Two breaches were recorded on October 26th and November 2nd.
On October 26th, routine technical maintenance by GitHub caused an issue where a public NPM database could accidentally expose the names of private packages. This would’ve otherwise allowed all users access to names or data on restricted data packages. As for the case on November 2nd, a report was filed detailing how an attacker could publish a new – and possibly infected – version of existing NPM packages, without sufficient authorization.