Hundreds of compromised packages pulled as registry shifts to 2FA and trusted publishing

GitHub, which owns the npm registry for JavaScript packages, says it is tightening security in response to recent attacks.

September has been a bad month for npm with phishing attacks on package maintainers and hundreds of packages infected by secret-stealing malware.

GitHub security lab lead Xavier René-Corail said that more than 500 compromised packages have been removed and others blocked from upload by security scanning.

René-Corail also described changes that he hopes will strengthen security. Many existing authentication methods will be removed "in the near future," including legacy classic tokens and one-time passwords for two-factor authentication (2FA). Token lifetimes will also be shortened, with a switch to trusted publishing and 2FA-enforced local publishing by default.

Trusted publishing was first adopted by the PyPI package index and is designed for automated workflows. Using OpenID Connect, the package repository verifies that a package comes from a trusted ...