GitHub Boosting Security in Response to NPM Supply Chain Attacks
securityweek
In the light of recent supply chain attacks targeting the NPM ecosystem, GitHub will implement tighter authentication and publishing rules meant to improve the NPM registry’s security.
Several major incidents occurred over the past three months, with the most recent involving the Shai-Hulud self-replicating worm that impacted dozens of maintainer accounts last week. The attackers compromised 195 packages and pushed over 500 malicious package versions to the registry.
A week before, 18 NPM packages maintained by Josh Junon were injected with malware after the maintainer fell victim to a phishing campaign impersonating NPM support. The packages have over 2.5 billion weekly downloads.
In July, multiple packages with combined weekly downloads of over 30 million were poisoned after attackers using typosquatting to impersonate the Node.js package registry targeted their maintainers.
According to GitHub, the Shai-Hulud attack triggered swift action from the platform and the community to remove the ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE