GitHub Introduces npm Security with Stronger Authentication and Trusted Publishing

Open source software powers much of today’s technology, enabling developers around the world to build and share tools, libraries, and applications.

However, the same openness that drives innovation also presents serious security challenges. Attackers regularly target package registries like npm to compromise accounts and inject malicious code.

In response, GitHub has announced significant updates to npm security, focusing on stronger authentication methods, short-lived tokens, and trusted publishing.

These changes aim to protect the open source community and safeguard the software supply chain.

In mid-September 2025, a self-replicating worm known as the Shai-Hulud attack infiltrated multiple popular JavaScript packages.

By hijacking maintainer accounts, the worm injected harmful post-install scripts into widely used libraries.

These scripts could steal secrets beyond npm tokens and propagate further attacks if left unchecked.

GitHub and open source maintainers responded swiftly by removing over 500 compromised packages from the registry and blocking uploads containing known indicators ...