"GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing, which enables the ability to securely publish npm packages directly from CI/CD workflows"
"To support these changes, the Microsoft-owned company said it will be enacting the following steps - Deprecate legacy classic tokens. Deprecate time-based one-time password (TOTP) 2FA, migrating users to FIDO-based 2FA. Limit granular tokens with publishing permissions to a shorter expiration. Set publishing access to disallow tokens by default, encouraging usage of trusted publishers or 2FA-enforced local publishing. Remove the option to bypass 2FA for local package publishing. Expand eligible providers for trusted publishing."
GitHub will change authentication and publishing options for npm to counter supply chain attacks such as Shai-Hulud. The changes allow local publishing only with required two-factor authentication, introduce granular tokens with a seven-day lifetime, and add trusted publishing that uses OpenID Connect to publish packages securely from CI/CD workflows. Trusted publishing uses short-lived, workflow-specific credentials and prevents credential exfiltration while the npm CLI automatically generates and publishes provenance attestations for each package. Additional actions include deprecating legacy classic tokens, migrating TOTP 2FA to FIDO-based 2FA, disallowing tokens by default for publishing, removing 2FA bypass for local publishing, and expanding trusted publishing providers.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]