How GitHub’s New npm Security Measures Aim to Stop Supply‑Chain Worms

To counter recent npm supply‑chain attacks, GitHub has introduced several security enhancements.

Recent attacks on the JavaScript npm ecosystem were driven by a worm named Shai‑Hulud, which infects packages and republishes them with malicious code, spreading throughout npm.

GitHub’s initial response removed over 500 compromised packages from the npm registry and blocked new packages containing the worm’s indicators of compromise.

The platform now plans to change authentication and publishing options to reduce token abuse and self‑replicating malware risk: local publishing will require two‑factor authentication (2FA), token validity will be limited to seven days, and trusted publishers will be used to replace long‑lived tokens.

GitHub also announced the deprecation of classic tokens, the removal of time‑based one‑time‑password 2FA, default denial of token‑based publishing access, and an expansion of trusted‑publisher providers.

Recognizing that these changes may disrupt existing workflows, GitHub will roll them out gradually, providing detailed timelines, documentation, migration guides, and multiple support channels.

“True resilience requires active participation and vigilance from everyone in the software industry. By adopting strong security practices and leveraging available toolchains, we can collectively build a safer, more trustworthy open‑source ecosystem.”