GitHub tightens npm publishing security after large self‑propagating npm compromise

Key update

GitHub has published a plan to harden the npm publishing model in direct response to a large, self‑propagating supply‑chain compromise. The changes it describes will require two‑factor authentication for local publishes (migrating away from TOTP to FIDO where possible), deprecate legacy long‑lived tokens, limit granular token lifetimes (to around seven days), and make trusted publishing (OIDC‑based short‑lived CI publishes with provenance) the recommended path for automated releases. These measures are being rolled out in the near term as part of an emergency security response. (github.blog)

Why it matters

This is immediately actionable and material for every JavaScript/Node team: build pipelines that currently rely on NODE_AUTH_TOKEN or long‑lived publish tokens must be migrated to trusted publishing (OIDC) or to short‑lived granular tokens; maintainer accounts that publish packages will need 2FA (and likely FIDO hardware/Platform Authenticator setups) and should plan token rotation and credential inventory. In practice expect to update CI workflows to request id‑tokens, remove persistent auth env vars, upgrade npm CLI where required, test provenance verification, and audit published packages and automation runners. The net result will be a higher operational cost up front (work to migrate and test pipelines) but a much smaller attack surface for supply‑chain abuse and stronger provenance for releases — essential for teams that publish packages or consume many transitive dependencies. (github.blog)

Source

• Source